On Thursday, August 4, 2016, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced that Advocate Health Care Center (Advocate Health) agreed to pay $5.55 million to settle multiple violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This is the largest HIPAA settlement to date against a single entity, and according to OCR, is due to the severity of the HIPAA violations and the length of time that those violations were allowed to persist. OCR alleged that in some instances, the purported violations date back to the effective date of the HIPAA Security Rule.
According to the OCR press release, Advocate Health first came under investigation by OCR in 2013 due to three separate breaches of unsecured electronic PHI (ePHI) (theft of four desktop computers, theft of unencrypted laptop and unauthorized access of a business associate's network) occurring between August 23 to November 1, 2013, which affected approximately four million individuals. The ePHI included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth.
In investigating these three breaches, OCR uncovered one of the most common violations of the HIPAA Security Rule—failure to conduct a comprehensive, organization-wide risk assessment of the potential vulnerabilities to ePHI. In addition, OCR found Advocate Health failed to implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center, obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession, and reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.
In addition to the $5.5 million HIPAA settlement, Advocate Health entered into a very detailed two-year corrective action plan with OCR to address all HIPAA failures, which requires Advocate Health to: (i) conduct a revised risk assessment and a risk management plan; (ii) create HHS-approved plans to encrypt or justify its decision not to encrypt all desktop computers, laptops, mobile phones, USBs, and medical equipment that may be used to access, store, download or transmit ePHI; (iii) develop an enhanced privacy and security awareness training; and (iv) create an HHS-approved plan for management of its current and future business associate relationships.
The Advocate Health settlement emphasizes OCR's enforcement stance against organizations that fail to comply with the foundational HIPAA Security Rule requirement of conducting a comprehensive risk assessment. When announcing the Advocate settlement, OCR Director Jocelyn Samuels said "We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' electronic protected health information is secure."