News Feature | August 17, 2016

Advocate Health Reaches Record $5.55 Million HIPAA Penalty Agreement

By Megan Williams, contributing writer

MSPs must be HIPAA Compliant

In a world riddled with data breaches it can be easy to forget one of the biggest threats to patient data is internal mishandling by providers. Case in point: HHS announced Advocate Health Care Network agreed to a settlement with OCR (the Office for Civil Rights) for $5.55 million.

The settlement covers multiple potential HIPAA violations including an agreement to begin a corrective action plan. The settlement has set a record as the largest to-date from a single entity, primarily because of the duration and extent of the alleged noncompliance (Advocate Health’s issues in some instances date back to the beginning of the Security Rule), the necessary involvement of the State Attorney General, and the large number of individuals whose PHI was affected.

OCR Director, Jocelyn Samuels, hopes the news will have a positive impact on the healthcare community, saying “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure. This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”

The Investigation
According to HHS.gov the investigation began with Advocate submitting three breach notification reports in 2013. Each pertained to separate and distinct incidents involving its subsidiary, Advocate Medical Group (AMG). Those breaches alone impacted four million individuals and included clinical information, health insurance data, demographic information, names, addresses, credit card information, and dates of birth. Advocate was found to have failed in multiple areas, not having:

  • Conducted an accurate and thorough assessment of risks and vulnerabilities of ePHI.
  • Implemented policies, procedures, and facility access controls that limited physical access to electronic information systems that are housed in their larger data support center.
  • Properly and reasonably safeguarded an unencrypted laptop that had been left in an unlocked vehicle overnight.
  • Obtained the proper assurances in the form of a written BA contract that the business associate would properly safeguard all ePHI in their possession.

Advocate Healthcare Network is a dominant presence in the Illinois healthcare scene with over 250 treatment locations (including ten acute-care hospitals and two integrated children’s hospitals). AMG though is a physician-led, nonprofit medical group that focuses on medical imaging and primary care, as well as outpatient and specialty services in and around Chicago and Bloomington-Normal, IL.

Going Deeper
The resolution agreement and corrective action plan are available here.