Latest OCR HIPAA Settlement Provides Lessons for Covered Entities

Mintz - Health Care Viewpoints
Contact

Capping off a busy month of HIPAA settlements, on August 4, the Office for Civil Rights (“OCR”) announced a $5.55 million settlement with Advocate Health Care Network (“Advocate”), the largest fully-integrated healthcare system in Illinois.  The settlement is the largest HIPAA settlement ever by a single entity.  The settlement comes on the heels of two July settlement announcements with Oregon Heath & Sciences University (“OHSU”) ($2.7 million) and the University of Mississippi Medical Center ($2.75 million).  In total, OCR has reached nine HIPAA settlements in 2016, in addition to the imposition of civil monetary penalties against Lincare, Inc. (which we covered here).  In contrast, the office entered into only six settlements in all of 2015.   As Jocelyn Samuels, the Director of OCR, indicated in a press release regarding the Advocate settlement, the settlements should be a wake-up call to HIPAA Covered Entities and Business Associates:

We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure. This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.

The Advocate settlement resulted from OCR investigations after Advocate notified OCR of three breaches between August 23, 2103 and November 1, 2013. The three breaches related to (1) the theft of desktop computers containing the electronic protected health information (ePHI) of nearly 4 million individuals, (2) the potential compromise of the ePHI of 2,000 individuals due to unauthorized access to the network of one of Advocate’s Business Associates, and (3) the theft from a workforce member’s car of an unencrypted laptop containing the ePHI of 2,200 individuals.

In investigating these breaches, OCR found that Advocate had failed to conduct an accurate, enterprise-wide risk analysis, failed to implement appropriate safeguards for ePHI, and failed to enter into a business associate agreement (“BAA”) with the billing services company that experienced improper network access. These findings were similar to findings in other recent settlements. In the OHSU settlement, OCR noted that OHSU had conducted a number of risk analyses, but that the analyses did not cover all of the ePHI in the OHSU enterprise.  Settlements earlier this year also highlighted the importance of BAAs (see our post on one recent settlement here).

Though these recent settlements all involve large medical systems, smaller providers also need to ensure that they are conducting and updating their risk assessments, identifying and addressing vulnerabilities and entering into BAAs. The corrective action plan entered into by Advocate is a useful guide to the type of HIPAA compliance efforts OCR expects to see.  It requires Advocate to:

  1. Conduct an enterprise-wide risk analysis and develop and enterprise-wide risk management plan;
  2. Implement a process for evaluating changes to the operations and security environment of the enterprise;
  3. Develop a report on encryption status throughout the entity, including an explanation for the total number of devices and equipment that are not encrypted;
  4. Review and revise policies on device and media controls and facility access controls;
  5. Review and revise policies on business associates; and
  6. Develop an enhanced privacy and security training program for all workforce members.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz - Health Care Viewpoints | Attorney Advertising

Written by:

Mintz - Health Care Viewpoints
Contact
more
less

Mintz - Health Care Viewpoints on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.