News & Insights  |  Media Mentions

Related Professionals

Practice Areas


Patricia O'Connell
Senior Communications Manager

Kirk Nahra Comments on First-of-Its-Kind OCR Settlement by ‘Business Associate’

July 5, 2016

Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice and co-chair of the Health Care Practice, was quoted in today’s Politico “Morning eHealth” daily report about a recent $650,000 data breach settlement by a Catholic health care organization over the theft of a mobile device containing protected health information of nursing home residents. In announcing the settlement, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) said the organization, as a business associate of several nursing facilities, should have had policies in place regarding the handling of mobile devices to address the privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA). The organization, part of the Archdiocese of Philadelphia, provides the nursing homes with information technology and management services.

The case is significant, according to Mr. Nahra, because it’s the first of its kind involving a business associate; it’s an area in which OCR recently said it would enhance enforcement of HIPAA rules.

“I’m expecting lots [of action against business associates], but wasn’t expecting anything this quickly or with so little fanfare,” he said. “I am quite surprised that the first one involved an entity like this, essentially a charity. Big challenges here because of the wide variety of kinds of entities, their HIPAA activities and their actual involvement with protected health information.”