Advocate Health to Pay Largest Ever HIPAA Settlement

$5.55 million to settle multiple violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This is the largest HIPAA settlement to date against a single entity, and according to OCR, is due to the severity of the HIPAA violations and the length of time that those violations were allowed to persist. OCR alleged that in some instances, the purported violations date back to the effective date of the HIPAA Security Rule.

According to the OCR press release, Advocate Health first came under investigation by OCR in 2013 due to three separate breaches of unsecured electronic PHI (ePHI) (theft of four desktop computers, theft of unencrypted laptop and unauthorized access of a business associate’s network) occurring between August 23 to November 1, 2013, which affected approximately four million individuals. The ePHI included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth.

In investigating these three breaches, OCR uncovered one of the most common violations of the HIPAA Security Rule—failure to conduct a comprehensive, organization-wide risk assessment of the potential vulnerabilities to ePHI. In addition, OCR found Advocate Health failed to implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center, obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession, and reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

In addition to the $5.5 million HIPAA settlement, Advocate Health entered into a very detailed two-year corrective action plan with OCR to address all HIPAA failures, which requires Advocate Health to: (i) conduct a revised risk assessment and a risk management plan; (ii) create HHS-approved plans to encrypt or justify its decision not to encrypt all desktop computers, laptops, mobile phones, USBs, and medical equipment that may be used to access, store, download or transmit ePHI; (iii) develop an enhanced privacy and security awareness training; and (iv) create an HHS-approved plan for management of its current and future business associate relationships.

The Advocate Health settlement emphasizes OCR’s enforcement stance against organizations that fail to comply with the foundational HIPAA Security Rule requirement of conducting a comprehensive risk assessment. When announcing the Advocate settlement, OCR Director Jocelyn Samuels said “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' electronic protected health information is secure.”

  

---

If you have any questions regarding this Sidley Update, please contact the Sidley lawyer with whom you usually work, or

Meenakshi Datta Partner mdatta@sidley.com +1 312 853 7169

Rina Mady Associate rmady@sidley.com +1 312 853 6109

Global Life Sciences Practice

Healthcare Practice

Privacy, Data Security and Information Law Practice

To receive Sidley Updates, please subscribe at www.sidley.com/subscribe.

Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.