- UPDATE: Since publication of this report, Advocate has issued an official statement on the settlement.
Illinois-based healthcare system Advocate Health Care (Advocate) recently agreed to a $5.5 million OCR HIPAA settlement, stemming from multiple alleged HIPAA violations and noncompliance issues.
This is the largest settlement to date against a single entity, which is due in part to some of the alleged noncompliance dating back to the inception of the HIPAA Security Rule, OCR explained in a statement.
“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” OCR Director Jocelyn Samuels said. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
Advocate submitted three data breach notification reports to HHS between August 23, 2013 and November 1, 2013. The first one took place in August 2013 and involved the theft of four unencrypted desktop computers containing the ePHI of 3,994,175 individuals.
The next incident was in September 2013 and involved an Advocate business associate. An unauthorized third party reportedly accessed the business associate’s network, potentially compromising the ePHI of 2,027 patients.
Finally, Advocate reported in November 2013 that an unencrypted laptop containing the ePHI of approximately 2,237 individuals was stolen from a workforce member’s car.
After the investigations of all three incidents, OCR determined that Advocate failed in the following areas:
- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI
- Implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center
- Obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession
- Reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.
Per the Corrective Action Plan, Advocate must modify its existing risk analysis, develop and implement a risk management plan, implement a process for evaluating environmental and operational changes, and develop an encryption report.
Furthermore, the health system needs to review its current policies on device and media controls and make adjustments as necessary.
“The policies shall identify criteria for the use of such hardware and electronic media and procedures for obtaining authorization for the use of personal devices and media that utilize Advocate ePHI systems,” the CAP states. “The policies shall also address security responsibilities, including disposal and reuse of personal devices and media, and regular compliance monitoring.”
Advocate also must review and revise its policies on facility access controls, as well as those related to business associates. A process must be put in place to determine that any business associate relationship adheres to HIPAA rules, and ensure that ePHI disclosures are limited to the minimum amount necessary. A documentation process of the relationship will also need to be maintained for at least six years.
Finally, the health system must develop an enhanced privacy and security awareness training program.
“The Training Program shall include general instruction on compliance with Advocate's policies and procedures related to the HIPAA Rules,” OCR wrote. “The Training Program may be conducted online and/or electronically, in its entirety, using computers and eLearning tools.”
UPDATE: Advocate emailed a statement to HealthITSecurity.com about the settlement:
"Protecting the privacy and confidentiality of our patients while delivering the highest level of care and service are our top priorities. As all industries deal with the ever-evolving digital landscape and the impact it has on security, we’ve enhanced our data encryption measures to prevent this type of incident from reoccurring. While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients. We continue to cooperate fully with the government to advance our patient privacy protection efforts."