According to the OCR press release, Advocate Health first came under investigation by OCR in 2013 due to three separate breaches of unsecured electronic PHI (ePHI) (theft of four desktop computers, theft of unencrypted laptop and unauthorized access of a business associate’s network) occurring between August 23 to November 1, 2013, which affected approximately four million individuals. The ePHI included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth.
In investigating these three breaches, OCR uncovered one of the most common violations of the HIPAA Security Rule—failure to conduct a comprehensive, organization-wide risk assessment of the potential vulnerabilities to ePHI. In addition, OCR found Advocate Health failed to implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center, obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession, and reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.
If you have any questions regarding this Sidley Update, please contact the Sidley lawyer with whom you usually work, or
+1 312 853 7169
+1 312 853 6109
Global Life Sciences Practice
Privacy, Data Security and Information Law Practice
To receive Sidley Updates, please subscribe at www.sidley.com/subscribe.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.