Athletes at the Rio Olympics aren’t the only ones setting records this year. Hoping to send a “strong message” about the importance of safeguarding electronic protected health information (PHI) and conducting mandated risk analyses, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently reached the largest settlement to date against a single entity for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). This settlement also marks a new record in the number of HIPAA settlements reached in a year by OCR. Given the pace of recent HIPAA settlements, OCR likely will continue to beat its own record over the course of 2016.
On August 4th, OCR announced it had settled an enforcement action with Advocate Health Care Network (Advocate) for alleged potential HIPAA violations, requiring the covered entity to pay a record-breaking $5.55 million and adhere to an extensive, two-year corrective action plan. OCR’s action against Advocate stemmed from three separate breach events in 2013, namely: the theft of four desktop computers from an Advocate subsidiary; the unauthorized intrusion of a business associate’s computer network; and the theft of an unencrypted laptop from a subsidiary employee’s unlocked vehicle. The triple breach, according to OCR, potentially compromised electronic PHI of more than 4 million individuals.
OCR specifically alleged that Advocate failed to: conduct an accurate and thorough risk analysis; implement measures to restrict physical access to its electronic systems; enter into a business associate agreement (BAA) contractually requiring its business associates to appropriately safeguard electronic PHI; and reasonably safeguard an unencrypted laptop containing electronic PHI left in an unlocked vehicle overnight.
As part of its two-year corrective action plan, Advocate, among other things, must:
- Conduct a risk analysis to assess vulnerabilities to electronic PHI and implement a risk management plan;
- Develop written processes to regularly evaluate environmental or operational changes that affect the security of electronic PHI;
- Devise a report detailing the encryption status of its equipment;
- Revise policies and procedures concerning business associates, including creating a process to negotiate and enter into a BAA prior to disclosing PHI to a business associate;
- Revise facilities access control policies and procedures to limit physical access to Advocate’s electronic information systems;
- Develop an “enhanced” privacy and security training program for employees;
- Create a plan to internally monitor its compliance with the corrective action plan; and
- Engage an independent third-party assessor to investigate, assess, and determine Advocate’s compliance with the corrective action plan.
The Takeaways: Compliance in a Changing HIPAA Enforcement Climate
Some lessons that HIPAA-subject entities should draw from the Advocate settlement include:
- Increase in HIPAA Enforcement – and Settlements – Likely to Continue. OCR’s settlement with Advocate marks its tenth enforcement action in 2016 so far, already surpassing the agency’s past high of seven settlements in a year. With four-and-a-half months remaining in the calendar year, more settlements are likely before 2016 comes to a close.
Because it takes years for investigations to reach the settlement phase, this year’s record number of settlements is likely not indicative of a sudden change of enforcement practices, but one that has been occurring over years and will likely continue for the foreseeable future. Although OCR likely will continue to resolve most cases without fines or financial settlements, it appears that OCR is willing to exercise more formal enforcement in a significantly growing percentage of investigations.
- The Bigger the Entity, The Bigger the Violations, The Bigger the Settlement. Advocate’s unprecedented settlement amount likely was due in part to the large size of the covered entity and further exacerbated by the number of reported breaches, the length of time that alleged violations occurred (dating back to 2005), and the large number of individuals affected. But OCR also appears to be steadily increasing the settlement amounts imposed. In 2016 alone, six out of ten OCR settlements included penalties of $1 million or more, while only one settlement in all of 2015 (out of six total) had similarly high fines.
- Risk Analyses are Critical for HIPAA Compliance. Although OCR could have focused on any number of information security issues with respect to Advocate, its press release highlighted the covered entity’s alleged lack of a comprehensive risk analysis and risk management under the HIPAA Security Rule. This is consistent with the majority of recent OCR settlements and underscores that completing and regularly updating a risk analysis consistent with OCR guidance and maintaining a corresponding risk management plan likely are a covered entity or business associate’s most important HIPAA compliance actions.
- Have BAAs In Place Before Disclosing PHI. Besides Advocate, OCR recently has penalized two other covered entities for failing to have BAAs in place prior to sharing PHI with third-party vendors, to the tune of $750,000 and $1.55 million respectively. Covered entities should verify that processes are in place to obtain a BAA as part of the normal contracting process.
- Know Which Vendors Qualify as “Business Associates.” The HIPAA Omnibus Rule, in place since 2013, significantly revised which enterprises qualify as “business associates.” Importantly, third parties that create, receive, maintain, or transmit PHI generally now qualify as a business associate, rather than just those that use and disclose PHI as part of their services.
Business associates do not avoid HIPAA liability by not signing BAAs. An entity is a business associate if it meets the definition of a business associate.