On August 4, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a settlement with Advocate Health Care Network for multiple potential HIPAA violations involving electronic protected health information (ePHI).  Advocate agreed to pay a settlement amount of $5.55 million to resolve the alleged violations and will adopt a robust corrective action plan.  This settlement is the largest to-date levied by OCR and is the culmination of several investigations dating back to 2013, conducted by OCR and the State Attorney General of Illinois. 

“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said OCR Director Jocelyn Samuels. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”

Advocate submitted three breach notification reports in 2013, all relating to its subsidiary, Advocate Medical Group.  In the separate and unrelated breaches affecting the ePHI of approximately 4 million individuals, the information at risk included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth.

The first breach occurred on August 23, 2013 when four desktop computers containing the ePHI of 3,994,175 individuals were stolen from an Advocate Medical Group office in Park Ridge, Illinois.  The second breach involved Blackhawk Consulting Group, a business associate of Advocate, which provides billing services to Advocate Medical Group.  An unauthorized third party accessed Blackhawk’s network between June and August in 2013, compromising the ePHI of approximately 2,027 individuals.  The third breach was reported on November 1, 2013 when Advocate advised OCR that an unencrypted laptop containing ePHI of approximately 2,237 individuals was stolen from an employee’s vehicle.

The investigation of the breaches revealed that Advocate failed to effectively assess and monitor its HIPAA compliance program.  The company failed to conduct accurate and thorough assessments of the potential risks and vulnerabilities to all of its ePHI.  Advocate did not have adequate policies and procedures to limit access to its data support center housing electronic information systems.  Advocate also did not have written business associate agreements with its vendors, assuring their compliance with safeguarding all ePHI in their possession.  Lastly, Advocate did not reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

The Resolution Agreement requires Advocate to enter into a Corrective Action Plan for a term of two years.  Click here to view the agreement and the Corrective Action Plan.

Entities covered by HIPAA must implement strong data security safeguards in their environments, and in particular, comply with the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of all of the electronic protected health information (ePHI) they create, receive, maintain or transmit.  Covered entities and business associates must exercise due diligence in reviewing their HIPAA compliance programs and conducting system wide audits of their ePHI safeguards to identify and update areas that may have vulnerability that could put personal health information at risk.