In June 2016, OCR entered into its first settlement agreement with a business associate, Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”), for potential violations of the HIPAA Laws by failing to protect electronic protected health information (“EPHI”) of nursing home residents. The smartphone of a CHCS employee was stolen and contained EPHI. The smartphone was not password protected, and the EPHI was unencrypted. The EPHI of more than 400 residents included social security numbers, diagnostic and treatment information, medications, and the names of family members and legal guardians. OCR determined that CHCS had failed to perform a HIPAA Security Risk Assessment and implement a risk management plan regarding compliance with the HIPAA Laws, and that CHCS didn’t have policies and procedures as required under the HIPAA Security Rule. The settlement included a penalty of $650,000 and a corrective action plan for two years, which will be monitored by OCR….beware