Privacy & Information Security Law Blog

On August 4, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement with Advocate Health Care Network (“Advocate”), the largest health care system in Illinois, over alleged HIPAA violations. The $5.5 million settlement with Advocate is the largest settlement to date against a single covered entity.

Following the submission of three breach notification reports by Advocate in 2013 that affected approximately 4 million individuals, OCR investigated Advocate and found it had failed to (1) conduct an accurate and thorough risk assessment, (2) limit physical access to its data center that contained electronic protected health information (“ePHI”), (3) obtain satisfactory assurances from its business associate that it would adequately safeguard ePHI, and (4) reasonably safeguard ePHI by leaving an unencrypted laptop containing ePHI in an unlocked vehicle overnight.

The resolution agreement requires Advocate to pay $5.5 million to OCR and enter into a Corrective Action Plan that obligates Advocate to:

• modify its existing risk analysis to include a completely inventory of all Advocate facilities, equipment, systems and applications that contain or store ePHI;
• develop and implement a comprehensive risk management plan to address those risks and vulnerabilities identified in the risk analysis;
• implement a process for evaluating environmental or operational changes that affect the security of Advocate’s ePHI;
• develop an encryption report that explains why any Advocate device and equipment are not encrypted;
• review and revise its policies and procedures on device and media controls, facility access controls and business associates;
• enhance its existing security awareness training program;
• submit an Internal Monitoring Plan to OCR;
• report any events of noncompliance with its HIPAA policies and procedures; and
• submit a detailed Implementation Report to OCR within 120 days after its approval of its risk management plan, as well as annual compliance reports for a period of two years.

In announcing the settlement with Advocate, OCR Director Jocelyn Samuels noted that “[w]e hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure.” Director Samuels further emphasized reducing the “risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”

The large monetary settlement with Advocate resulted from several factors, including (1) the extent and duration of Advocate’s noncompliance with the HIPAA rules; (2) the involvement of the Illinois Attorney General in a parallel investigation of Advocate, and (3) the large number of individuals affected by the Advocate breaches.