Record-Breaking HIPAA Settlement Sends Strong Message to Covered Entities

Lawrence Tabas
Obermayer Rebmann Maxwell & Hippel LLP
Contact
LinkedIn
Facebook
X
Send
Embed

This month marked the largest HIPAA settlement to-date for a single entity. Advocate Health Care Network (“Advocate”) agreed to pay $5.5 million and adopt a corrective action plan after an investigation by the Department of Health and Human Services’ Office for Civil Rights (“OCR”) revealed that Advocate’s widespread noncompliance with the requirements of HIPAA affected the protected health information (“PHI”) of four million individuals.

OCR’s investigation into Advocate began in 2013 after its subsidiary, Advocate Medical Group (“AMG”), reported three separate data breaches. AMG reported: (i) a laptop computer stolen from an AMG office building, (ii) unauthorized access into a business associate’s computer network, and (iii) an unencrypted laptop taken from an employee’s unlocked vehicle. In combination, the three data breaches compromised the names, addresses, credit card information, clinical information, and health insurance information of four million individuals.

OCR began an investigation into Advocate as a result of these breaches. OCR’s investigation revealed that Advocate failed to:

  • conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its electronic PHI (“ePHI”);
  • implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;
  • obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and
  • reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

In response to the record-breaking settlement, OCR Director Jocelyn Samuels said, “[w]e hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure.”

This settlement is yet another illustration of OCR’s increasingly aggressive approach to HIPAA enforcement. Not only has OCR been active in bringing enforcement actions when ePHI is compromised, but OCR has also cracked down on HIPAA compliance through the commencement of its HIPAA compliance audits.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Obermayer Rebmann Maxwell & Hippel LLP | Attorney Advertising

Written by:

Obermayer Rebmann Maxwell & Hippel LLP
Obermayer Rebmann Maxwell & Hippel LLP
Contact
more
less

Obermayer Rebmann Maxwell & Hippel LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide