Latest OCR HIPAA Settlement Provides Lessons for Covered Entities
Capping off a busy month of HIPAA settlements, on August 4, the Office for Civil Rights (“OCR”) announced a $5.55 million settlement with Advocate Health Care Network (“Advocate”), the largest fully-integrated healthcare system in Illinois. The settlement is the largest HIPAA settlement ever by a single entity. The settlement comes on the heels of two July settlement announcements with Oregon Heath & Sciences University (“OHSU”) ($2.7 million) and the University of Mississippi Medical Center ($2.75 million). In total, OCR has reached nine HIPAA settlements in 2016, in addition to the imposition of civil monetary penalties against Lincare, Inc. (which we covered here). In contrast, the office entered into only six settlements in all of 2015. As Jocelyn Samuels, the Director of OCR, indicated in a press release regarding the Advocate settlement, the settlements should be a wake-up call to HIPAA Covered Entities and Business Associates:
We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure. This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.
The Advocate settlement resulted from OCR investigations after Advocate notified OCR of three breaches between August 23, 2103 and November 1, 2013. The three breaches related to (1) the theft of desktop computers containing the electronic protected health information (ePHI) of nearly 4 million individuals, (2) the potential compromise of the ePHI of 2,000 individuals due to unauthorized access to the network of one of Advocate’s Business Associates, and (3) the theft from a workforce member’s car of an unencrypted laptop containing the ePHI of 2,200 individuals.
In investigating these breaches, OCR found that Advocate had failed to conduct an accurate, enterprise-wide risk analysis, failed to implement appropriate safeguards for ePHI, and failed to enter into a business associate agreement (“BAA”) with the billing services company that experienced improper network access. These findings were similar to findings in other recent settlements. In the OHSU settlement, OCR noted that OHSU had conducted a number of risk analyses, but that the analyses did not cover all of the ePHI in the OHSU enterprise. Settlements earlier this year also highlighted the importance of BAAs (see our post on one recent settlement here).
Though these recent settlements all involve large medical systems, smaller providers also need to ensure that they are conducting and updating their risk assessments, identifying and addressing vulnerabilities and entering into BAAs. The corrective action plan entered into by Advocate is a useful guide to the type of HIPAA compliance efforts OCR expects to see. It requires Advocate to:
- Conduct an enterprise-wide risk analysis and develop and enterprise-wide risk management plan;
- Implement a process for evaluating changes to the operations and security environment of the enterprise;
- Develop a report on encryption status throughout the entity, including an explanation for the total number of devices and equipment that are not encrypted;
- Review and revise policies on device and media controls and facility access controls;
- Review and revise policies on business associates; and
- Develop an enhanced privacy and security training program for all workforce members.