HIPAA/HITECH , Standards, Regulations & Compliance
Advocate Health Hit with Record $5.5 Million HIPAA PenaltySettlement Stems from OCR's Investigation Into Three 2013 Breaches
In the largest HIPAA enforcement settlement to date, federal regulators have smacked Chicago-based Advocate Health Care with a $5.55 million fine in the wake of an investigation into three 2013 breaches. The largest incident, involving four stolen unencrypted computers, affected about 4 million individuals.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
"This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance - dating back to the inception of the [HIPAA] Security Rule in some instances - the involvement of the state attorney general in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country," the Department of Health and Human Services' Office for Civil Rights says in an Aug. 4 statement.
OCR Director Jocelyn Samuels notes: "We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' ePHI is secure. This includes implementing physical, technical and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level."
OCR says its latest enforcement action, which includes a detailed corrective action plan, follows its investigation launched after Advocate, which operates 12 hospitals and numerous clinics, submitted three breach notification reports pertaining to separate incidents involving its subsidiary, Advocate Medical Group.
Reasons for Big Fine
Privacy attorney Kirk Nahra of the law firm Wiley Rein says that while the settlement appears to focus on compliance issues, such as failure to conduct risk analysis, that are frequently highlighted by the enforcement agency, the OCR breach investigations likely uncovered egregious violations.
"OCR is - and has been historically - both reasonable and knowledgeable," he says. "They seem to know when people are trying hard and when they are not. Going through their cases - and I don't see anything here to indicate this [Advocate case] is different - 'extent and duration' matters a lot, as does not fixing existing problems."
Privacy attorney David Holtzman, vice president of compliance at the security consultancy CynergisTek, says every OCR resolution agreement is a negotiated settlement in which any number of factors can influence the outcome. "A significant factor in the size of the payment to settle the allegations with OCR is the length of time in which OCR found that Advocate had not met the requirements of the HIPAA Security Rule, as well as their apparent ample financial resources allowing them to absorb the cost of such a penalty," he says.
"What I see as important are the allegations that Advocate health system had not met the HIPAA Security Rule requirements established in 2005 to perform an enterprisewide information security risk assessment or put into place a program designed to reasonably safeguard protected health information across its organization," Holtzman says.
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says the settlement offers important lessons: "The top three takeaways for me from this settlement are: The bigger the entity, the bigger the settlement, with OCR steadily increasing the settlement amount it is seeking to impose on large covered entities; covered entities have had over a decade to come into compliance with the HIPAA Security Rule; ... and OCR continues to focus on the importance of a risk analysis."
OCR's 10th Settlement This Year
The settlement with Advocate is OCR's tenth enforcement action so far in 2016, keeping the agency on a roll in issuing a record number of HIPAA enforcement actions (see 2016 Watershed Year for HIPAA Enforcement).
This latest fine brings the total penalties levied by OCR this year to about $20.5 million, more than in any previous year.
"At this point, we have a record number of settlements in 2016, and a record-breaking settlement amount, with over four months remaining in the year," Greene notes. "I expect that we will continue to see an increased number of settlements over the coming years, although there may be a lull in the beginning of 2017 as the administration changes."
Nahra adds: "You could certainly read into the last few months of HIPAA activity and say both that the pace of enforcement is increasing and that OCR is being less tolerant of significant violations. I don't see any overall change at the biggest picture level - they still tend to be reasonable, and appreciate strong efforts at compliance, even if something doesn't work."
The message to HIPAA covered entities and business associates from the latest enforcement activities, Nahra says, is: "OCR is out there, is active, and can tell if you aren't doing a good job. It makes sense to re-evaluate and re-examine your compliance approach, even if you haven't had real problems before."
The Three Breaches
The three Advocate breaches exposed a variety of demographic, clinical and health insurance information, as well as credit card numbers. The largest of the incidents involved the theft of four unencrypted computers in July 2013 from an office of Advocate Medical Group in Illinois.
OCR notes that the two other breaches reported in 2013 leading to the settlement included:
- A breach involving Blackhawk Consulting Group, a business associate which provides billing services to Advocate. Advocate reported that the ePHI of 2,027 patients had been potentially compromised when an unauthorized third party accessed Blackhawk's network.
- The theft of an unencrypted laptop containing the ePHI of approximately 2,237 individuals from an Advocate workforce member's vehicle.
OCR says the investigations into the three incidents revealed that Advocate failed to:
- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI;
- Implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;
- Obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession;
- Reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.
Corrective Actions Mandated
As part of the resolution agreement, Advocate has agreed to a corrective action plan that calls for:
- Conducting a comprehensive and thorough risk analysis and implementing a risk management plan;
- Implementing processes for evaluating environmental and operational changes that affect the security of ePHI in Advocate's possession or control;
- Developing a report on its encryption status;
- Revising policies and procedures on device and media controls as well as limiting physical access to all of its electronic information;
- Revising policies and procedures related to business associates; and
- Developing an enhanced privacy and security awareness training program.
In a statement provided to Information Security Media Group, Advocate says: "Protecting the privacy and confidentiality of our patients while delivering the highest level of care and service are our top priorities. As all industries deal with the ever-evolving digital landscape and the impact it has on security, we've enhanced our data encryption measures to prevent this type of incident from reoccurring. While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients. We continue to cooperate fully with the government to advance our patient privacy protection efforts."
While OCR hit Advocate hard in its enforcement action, an Illinois appellate court in August 2015 upheld the dismissal of two breach-related lawsuits filed against the health system (see Advocate Health Ruling: The Impact) .