On August 4, 2016, the U.S. Department of Health and Human Services, Office of Civil Rights (OCR) announced a record-setting settlement with Advocate Health Care Network (Advocate) for multiple potential violations of HIPAA from three ePHI breach events in 2013.  According to the OCR, this is the largest payment ($5.55 million) by a single entity for a HIPAA settlement.  The affected data included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and expiration dates, and dates of birth – information which, collectively, can be used for identity theft and credit card fraud.

Along with the multi-million dollar payment, Advocate also agreed to a Resolution Agreement and a very detailed Corrective Action Plan.  Advocate did not admit to any wrongdoing and has indicated that it has enhanced its data encryption measures.

The settlement announcement included a stern warning from OCR Director Jocelyn Samuels about the need for covered entities to improve their risk assessments and data security processes to protect electronic personal health information (ePHI):

We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure.  This includes implementing physical, technical, and administrative security measures to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.

That message, coupled with the new wave of Phase II OCR audits to evaluate HIPAA compliance, indicates that the OCR has moved beyond the stage of merely educating and encouraging covered entities about their statutory obligations to safeguard protected patient health information.  In 2016, OCR is now clearly focused on enforcement and accountability.  Big-dollar settlements and highly-detailed corrective action plans (CAP) are becoming the new normal.  Indeed, the total amount of HIPAA settlements in 2016 to date is already more than $20 million, far surpassing the prior record of $7.9 million in 2014.  The OCR maintains a list of other HIPAA settlements on its website.

Background on the Advocate ePHI Breach Incidents

According to the OCR, between August 23 and November 1, 2013, Advocate reported three breach notification incidents to HHS: (1) the theft of four desktop computers from an Advocate facility; the computers contained the ePHI of about 4 million patients; (2) the unauthorized access to the network of a business associate; the network contained ePHI of about 2,000 people; and (3) the theft of an unencrypted laptop from an unlocked car belonging to an Advocate employee; the laptop contained ePHI of about 2,200 people.

OCR’s Conclusions About Advocate’s Inadequate Data Security Processes

Based on its investigation of the three data breach incidents, the OCR faulted Advocate in the following respects:

• failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI;

• failed to implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;

• failed to obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and

• failed to reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

The Corrective Action Plan

In addition to the significant $5.55 million payment to HHS, Advocate agreed to a comprehensive Corrective Action Plan (CAP) as well.  The CAP presumably contains what HHS considers to be a reasonable strategy for addressing the process failures that contributed to the ePHI breach events.   The compliance period for the plan has a presumptive life span of two years.

The CAP contains the following provisions, which are set forth more fully within the document itself:

1. Modify Existing Risk Analysis: Requires Advocate to “conduct a comprehensive and thorough Risk Analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI” it holds.
2. Develop and Implement a Risk Management Plan: Requires Advocate to develop “an enterprise-wide Risk Management Plan to address and mitigate any security risks and vulnerabilities found in the Risk Analysis” described above.  The Plan is required to “include a process and timeline for Advocate’s implementation, evaluation, and revision of its risk remediation activities.”
3. Implement Process for Evaluating Environmental and Operational Changes: Requires Advocate to “develop a written process to regularly evaluate any environmental or operational changes that affect the security of ePHI in Advocate’s possession or control, including Advocate’s acquisition of new entities.”
4. Develop Encryption Report: Requires Advocates to submit a written report to HHS that details (a) the total number of all Advocate devices an equipment that may be used to access, store, download, or transmit Advocate ePHI; (b) the total number of all such Advocate devices and equipment that are encrypted; and (c) an explanation for the number of devices and equipment that are not encrypted.
5. Device and Media Controls: Requires Advocate to review and, if needed, revise its policies and procedures related to the use of hardware and electronic media that may be used to access, store, download, or transmit Advocate ePHI.
6. Facility Access Controls: Requires Advocate to review and, if needed, revise its policies and procedures to limit physical access to all of its electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed.
7. Business Associates: Requires Advocate to review and, if necessary, revise its policies and procedures related to Business Associates.
8. Develop an Enhanced Privacy and Security Awareness Training Program: Requires Advocate to “augment” its existing mandatory HIPAA training program for all Advocate workforce members who have access to PHI, including ePHI.
9. Monitoring: Requires Advocate to develop and submit to HHS a written description of its plan to monitor internally its compliance with the CAP.

Companies can expect HHS to insist on similarly detailed and comprehensive Corrective Action Plans as part of future settlements of alleged HIPAA violations involving ePHI.  Stay tuned.