Data Breaches Lead to Record-Breaking HIPAA Settlement

Advocate Health Care Network (Advocate), one of the nation’s largest health care systems, recently reached a $5.55 million settlement with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act (HIPAA). The $5.55 million settlement is the largest HIPAA settlement in history against a single entity.

OCR’s investigation arose after Advocate reported three separate data breaches to OCR that occurred between July and November of 2013. The first breach occurred when four desktop computers were stolen from an Advocate administrative building. Another breach occurred when an unencrypted laptop was stolen from an Advocate employee’s unlocked vehicle. A third breach occurred when an unauthorized third party accessed the network of a company that provides billing services to Advocate. A total of more than 4 million patient records were affected by the breaches.

OCR’s investigations into these breaches indicated that Advocate failed to:

• conduct a thorough risk analysis of all of its facilities and equipment;
• implement policies and procedures to limit physical access to the administrative building from which desktops containing protected health information (PHI) were stolen;
• reasonably safeguard electronic PHI (ePHI); and
• enter into a HIPAA-compliant business associate agreement with its billing company to assure that the billing company would appropriately safeguard all ePHI in its possession.

OCR stated that the size of the settlement was due to the extent and duration of the violations. In a statement, OCR Director Jocelyn Samuels said that OCR “hope[s] this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure.”

The Advocate settlement comes on the heels of other recent, large HIPAA settlements, including a $2.75 million settlement with the University of Mississippi Medical Center in Jackson and a $2.7 million settlement with Oregon Health & Science University in Portland.

The Advocate settlement underscores the significant consequences of failing to comply with HIPAA. Covered entities and business associates are experiencing increased scrutiny by OCR, particularly in light of OCR’s recent announcement that is has begun Phase 2 of its HIPAA audit program.

In order to avoid investigations, fines and other negative consequences, it is critical for covered entities to ensure that their policies and procedures are in compliance with HIPAA. All covered entities, business associates, and subcontractors of business associates must conduct a risk analysis. Covered entities should ensure that their employees are trained to handle PHI in a secure manner. Additionally, covered entities should assess their physical security measures to ensure that unauthorized individuals cannot obtain access to electronic PHI on their premises. Finally, covered entities should ensure that they have entered into HIPAA-compliant business associate agreements with all of their business associates.