On August 8th, 2016, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) issued the largest Health Insurance Portability and Accountability Act (HIPAA) settlement to date with Advocate Health Care System (Advocate). Advocate agreed to pay $5.55 million to settle a variety of HIPAA violations. Advocate is the largest health system in Illinois and operates more than 400 sites of care with 12 acute care hospitals. This settlement comes in the wake of a series of recent HIPAA violation settlements and other enforcement activities by OCR, including phase 2 of the HIPAA audit program.
The Advocate settlement resulted from three separate HIPAA breach incidents reported by Advocate to HHS in connection with one of Advocate’s wholly owned subsidiaries, Advocate Medical Group (AMG). The incidents occurred between August and November of 2013. The first incident involved the theft of four desktops from one of AMG’s offices containing patient records. The second incident involved the breach of electronic protected health information (ePHI) of AMG patient data by a subcontractor billing company. The third incident involved the theft of an unencrypted laptop from the car of an AMG employee containing patient files with ePHI. The three incidents combined involved the compromise of over 4 million individual patient records including names, addresses, dates of birth, credit card numbers with expiration dates, demographic information, clinical information and health insurance information.
Through an investigation of these incidents, OCR determined that Advocate failed to comply with HIPAA in a variety of ways; including the following:
Failing to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI;
Failing to implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;
Failing to obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession or control (and impermissibly disclosed the ePHI of 2,027 individuals when it failed to obtained business associate agreements prior to disclosure); and
Failing to reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.
The settlement agreement requires Advocate to implement numerous corrective actions to remedy the described failures, such as: modifying Advocate’s existing risk analysis; developing and implementing a risk management plan; implementing a process for evaluating environmental and operational changes; reviewing and revising policies and procedures on device and media controls; reviewing and revising policies and procedures on facility access controls; reviewing and revising policies and procedures related to business associates; and developing an enhanced privacy and security awareness training program.
This settlement, along with the recent large settlements involving the other health systems, highlights the increase in recent enforcement actions and the increase in penalty amounts being issued. As we previously reported, phase 2 HIPAA security audits have begun and focus is being paid to HIPAA compliance of both covered entities and business associates. Both covered entities and business associates should review existing HIPAA compliance to avoid being subject to similar penalties as Advocate.