Largest HIPAA Settlement Announced Against A Single Entity: $5.55 Million
On August, 4, 2016, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced that Advocate Health Care Network (Advocate) agreed to pay a settlement amount of $5.55 million and adopt a multi-faceted corrective action plan (CAP) to resolve multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA). Advocate is the largest fully-integrated health care system in Illinois with more than 250 treatment locations.
According to OCR, the electronic Protected Health Information (ePHI) of approximately 4 million individuals was impacted by three breaches reported by Advocate to OCR in 2013.
The three breach reports submitted by Advocate to OCR were for separate and distinct incidents involving unsecured ePHI of an Advocate subsidiary. The first breach notice concerned the theft of four desktop computers containing ePHI from an administrative building. The second breach notice related to unauthorized access by a third party to the network of a business associate of Advocate that provided billing services. The third breach report involved the theft of an unencrypted laptop from the vehicle of a member of the Advocate subsidiary’s workforce.
OCR’s investigation of these three breaches concluded that Advocate did not abide by various HIPAA Security Rule and Privacy Rule provisions including the failure to: (i) conduct an accurate and thorough risk analysis of all Advocate facilities, information technology equipment, applications and data systems using ePHI; (ii) implement policies and procedures to limit physical access to its electronic information systems; (iii) reasonably safeguard ePHI; (iv) obtain satisfactory assurances from its business associate to safeguard all ePHI in the business associate’s possession or control; and (v) reasonably safeguard ePHI in an unencrypted laptop in an unlocked vehicle overnight.
In addition to the $5.55 million settlement payment, OCR and Advocate entered into a CAP. The CAP requires Advocate to do the following within specific timeframes:
- conduct a comprehensive and thorough risk analysis of the potential risks and vulnerabilities of the confidentiality, integrity and availability of ePHI held by Advocate;
- develop an enterprise-wide Risk Management Plan to address and mitigate security risks and vulnerabilities identified through the Risk Analysis;
- develop a written process to regularly evaluate any environmental or operational changes that affect the security of ePHI in Advocate’s possession or control, including Advocate’s acquisition of new entities;
- develop a report regarding its encryption status identifying the total number of Advocate devices and equipment (e.g., desktop computers, laptop computers, mobile phones, medical equipment) that may be used to access, store, download or transmit Advocate ePHI and the number of these devices that are encrypted and evidence of such encryption;
- review and revise its policies and procedures relating to device and media controls;
- review and revise its policies and procedures on facility access controls;
- review and revise its policies and procedures relating to business associates;
- develop an enhanced HIPAA Privacy and Security awareness training program; and
- develop an internal monitoring plan with respect to Advocate’s CAP compliance.
The OCR press release announcing the Advocate settlement suggests that Advocate’s noncompliance with the HIPAA Security Rule in certain instances dated back to the effective date of the Security Rule (April 20, 2005).
Takeaways and Important Next Steps
The Advocate settlement is the ninth announced by OCR in 2016. Saul Ewing attorneys have written about some of these previous settlements here:
OCR HIPAA settlements with covered entities and business associates for 2016 alone now exceed $20 million.
Covered entities and business associates should (1) review each OCR settlement agreement and take the lessons from these public documents to ensure their own organizations are not susceptible to the same fact scenarios, and (2) take appropriate precautions to ensure HIPAA compliance. Privacy Rule, Security Rule and Breach Notification Rule compliance are equally important for covered entities and business associates.
Saul Ewing attorneys regularly counsel and assist clients with their HIPAA Privacy Rule, Security Rule and Breach Notification Rule challenges and needs, including assistance in conducting risk assessments and implementing risk management programs. For more information on these matters, please contact the authors or the attorney at the firm with whom you are regularly in contact.