Why it matters: On August 4, 2016, the U.S. Department of Health and Human Services announced that Advocate Health Care Network agreed to pay $5.5 million for “multiple potential” violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information. The settlement was the agency’s “largest to-date against a single entity.” Read on for a recap.

Detailed discussion: On August 4, 2016, the U.S. Department of Health and Human Services (HHS) announced that its Office for Civil Rights (OCR) had entered into a settlement with Advocate Health Care Network (Advocate)—described as the “largest fully-integrated health care system in Illinois”—pursuant to which Advocate agreed to pay $5.5 million for “multiple potential” violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI). HHS called the settlement its “largest to-date against a single entity.”

OCR Director Jocelyn Samuels said that “[w]e hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure… This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”

According to the facts in the press release, Advocate submitted three breach notification reports under HIPAA in 2013 pertaining to “separate and distinct” incidents involving its subsidiary, Advocate Medical Group (described as a nonprofit physician-led medical group in the Chicago area) that affected the ePHI (including “demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth”) of approximately four million individuals. After conducting investigations into the breach notification reports, OCR found that Advocate failed to: (1) “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI”; (2) “implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center”; (3) “obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession”; or (4) “reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.”

HHS said that the “significant” settlement was the result of the “extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule [under HIPAA] in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country.”

See here to read HHS’s 8/4/16 press release entitled “Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million.”