On August 4 2016 the US Department of Health and Human Services Office for Civil Rights (OCR) announced that Advocate Health Care Center has agreed to pay $5.55 million to settle multiple violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This is the largest HIPAA settlement to date against a single entity and, according to the OCR, is due to the severity of the HIPAA violations and the length of time that those violations were allowed to persist. OCR alleged that in some instances, the purported violations date back to the effective date of the HIPAA Security Rule.

According to the OCR press release, Advocate Health first came under investigation by the OCR in 2013 due to three separate breaches of unsecured electronic protected health information (ePHI) (theft of four desktop computers, theft of unencrypted laptop and unauthorised access of a business associate's network) occurring between August 23 and November 1 2013, which affected approximately 4 million individuals. The ePHI included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and expiration dates, and dates of birth.

In investigating these three breaches, the OCR uncovered one of the most common violations of the HIPAA Security Rule – failure to conduct a comprehensive, organisation-wide risk assessment of the potential vulnerabilities to ePHI. In addition, the OCR found that Advocate Health had failed to implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support centre, obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession and reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

In addition to the $5.5 million HIPAA settlement, Advocate Health entered into a detailed two-year corrective action plan with OCR to address all HIPAA failures, which requires it to:

  • conduct a revised risk assessment and a risk management plan;
  • create HHS-approved plans to encrypt or justify its decision not to encrypt all desktop computers, laptops, mobile phones, USBs and medical equipment that may be used to access, store, download or transmit ePHI;
  • develop an enhanced privacy and security awareness training; and
  • create a HHS-approved plan for management of its current and future business associate relationships.

The Advocate Health settlement emphasises the OCR's enforcement stance against organisations that fail to comply with the foundational HIPAA Security Rule requirement of conducting a comprehensive risk assessment. When announcing the settlement, OCR Director Jocelyn Samuels said: "We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' electronic protected health information is secure."

For further information on this topic please contact Anna Spencer at Sidley Austin LLP's Washington office by telephone (+1 202 736 8000) or email ([email protected]). Alternatively, contact Meenakshi Datta or Rina Mady at Sidley Austin's Chicago office by telephone (+1 312 853 7000) or email ([email protected] or [email protected]). The Sidley Austin website can be accessed at www.sidley.com.