OCR announces record HIPAA settlement
On August 4, 2016, the HHS Office for Civil Rights (OCR) announced it had entered into a $5.5 million settlement agreement with Advocate Health Care Network (Advocate) to resolve multiple potential violations of HIPAA involving electronic protected health information (ePHI). This is the largest ever HIPAA settlement against a single covered entity and the third multi-million dollar settlement in the past three weeks.
Advocate is the largest fully-integrated health care system in Illinois, with twelve hospitals and more than 250 total treatment locations. The OCR press release announcing the settlement stated that the investigation of Advocate began in 2013, when Advocate submitted three breach notification reports pertaining to its subsidiary, Advocate Medical Group. The three breaches affected the ePHI of approximately 4 million individuals.
Based upon its investigation, OCR determined that Advocate failed to: (1) conduct an accurate and thorough risk assessment; (2) implement facility access controls to limit physical access to electronic systems housed in a large data support center; (3) execute a business associate agreement with a vendor stating that the vendor would appropriately safeguard ePHI; and (4) safeguard an unencrypted laptop left in an unlocked vehicle overnight.
OCR stated that the large settlement amount is a result of the extent and duration of the alleged non-compliance, the involvement of the Illinois Attorney General in a corresponding investigation and the large number of individuals affected by the three breaches. OCR alleges that, in some instances, Advocate’s noncompliance dated back to the inception of the HIPAA Security Rule.
OCR Director Jocelyn Samuels said, “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure….This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
As noted by Ms. Samuels, all HIPAA covered entities should regularly engage in risk analysis and risk management, particularly with regard to ePHI. Electronic systems are constantly changing, with existing systems receiving regular updates and new systems being added. The risk analysis should not be limited to the electronic medical record; it should include all of the organization’s systems that could potentially put patient data at risk. Once the risk analysis has been updated, the organization should revise its policies and procedures to account for newly identified risks in order to ensure that ePHI is secure.Download PDF