Read the message from OCR at the very end of this article.
On Thursday, August 4, 2016, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced that Advocate Health Care Center (Advocate Health) agreed to pay $5.55 million to settle multiple violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This is the largest HIPAA settlement to date against a single entity, and according to OCR, is due to the severity of the HIPAA violations and the length of time that those violations were allowed to persist. OCR alleged that in some instances, the purported violations date back to the effective date of the HIPAA Security Rule.
According to the OCR press release, Advocate Health first came under investigation by OCR in 2013 due to three separate breaches of unsecured electronic PHI (ePHI) (theft of four desktop computers, theft of unencrypted laptop and unauthorized access of a business associate’s network) occurring between August 23 to November 1, 2013, which affected approximately four million individuals. The ePHI included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth.
In investigating these three breaches, OCR uncovered one of the most common violations of the HIPAA Security Rule—failure to conduct a comprehensive, organization-wide risk assessment of the potential vulnerabilities to ePHI. In addition, OCR found Advocate Health failed to implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center, obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession, and reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.