The Department of Health and Human Services Office for Civil Rights (OCR) announced on August 4, 2016, a settlement agreement with Advocate Health Care Network, an integrated healthcare system with ten hospitals and a non-profit medical group of more than 1,500 physicians in Illinois (the System or Advocate). The System agreed to adopt a corrective action plan and to pay $5.5 million to settle potential HIPAA violations related to three separate data breach incidents in 2013. The settlement is the largest to-date by OCR with a single entity.

Between August and November 2013, the System submitted three breach notification reports to OCR. The first reported breach involved four computers that were stolen from the Advocate medical group’s administrative offices, with medical records of four million patients. The second reported breach involved unauthorized third-party access to the network of a billing company providing services to the medical group. The third reported breach was related to the theft of a laptop with unencrypted patient records from the car of a medical group employee.

Upon receiving the reports, OCR investigated the breaches and determined that the System failed to:

• conduct an accurate and thorough risk analysis that incorporated all facilities, equipment and systems;
• obtain satisfactory assurances in a written business associate agreement that the billing services company would appropriately safeguard all ePHI in its possession;
• implement policies and procedures to limit physical access to ePHI; and
• reasonably safeguard ePHI.

The settlement agreement is more onerous than other recent agreements with OCR related to HIPAA breaches. Notably, Advocate is required to engage an independent third-party assessor to review its compliance with the corrective action plan. The assessor is authorized to make unannounced visits at Advocate’s facilities, conduct quarterly progress meetings with the System security officer; and interview workforce members. The assessor will follow-up on any reports of noncompliance and prepare written reports to HHS and Advocate.

In addition to requiring an independent assessor to monitor compliance with the corrective action plan, Advocate must:

• conduct a comprehensive and thorough risk analysis of potential risks and vulnerabilities to all ePHI held by all Advocate entities;
• develop and implement an enterprise-wide risk management plan to address and mitigate against security risks and vulnerabilities found in the risk analysis;
• implement a process for evaluating environmental and operational changes that affect the security of ePHI in Advocate’s control including newly acquired entities;
• develop an encryption report to determine the total number of devices and equipment that may access, store, transmit or download ePHI;
• review and revise policies and procedures on device and media controls, facility access controls, and business associates; and
• develop an enhanced privacy and security awareness training program for its workforce members.

The OCR, in its announcement of the settlement agreement, expressed its intent to send a “strong message” to covered entities and business associates about the importance of comprehensive risk analysis and risk management to ensure protected health information is secure.