Anytime we conduct a training, we can’t help but turn blue in the face repeating over and over again the importance of conducting an accurate and thorough risk analysis of electronic PHI (ePHI). In the event of a breach or an audit, one of the first items the Office of Civil Rights (OCR) will ask for is the risk analysis. The OCR has obviously lost its patience for entities that choose or fail to perform an adequate risk analysis. Earlier this month, Advocate Health Care Center (Advocate Health) agreed to pay a massive $5.55 million to settle multiple violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This settlement is the largest to-date against a single entity.
According to the OCR press release, Advocate Health first came under investigation by OCR in 2013 due to three separate breaches of unsecured ePHI (theft of four desktop computers, theft of unencrypted laptop and unauthorized access of a business associate’s network) occurring between Aug. 23 and Nov. 1, 2013, which affected close to 4 million individuals. The ePHI included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth. Upon investigation, the OCR determined (in part) that Advocate Health:
- Failed to conduct an accurate and thorough risk analysis: We are going to go ahead and risk turning blue in the face again—Please—DO NOT FALL VICTIM to one of the most common violations of the HIPAA Security Rule—make sure to conduct an accurate and thorough risk analysis. In OCR Director Jocelyn Samuels’ words, “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure…This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
- Failed to obtain a Business Associate Agreement with a billing vendor: Every entity should have a process in place (and designate a specific individual(s)) in which every contract involving the use and disclosure of PHI is reviewed and confirmed that an applicable business associate agreement governs the vendor arrangement.
- Failed to reasonably safeguard ePHI when a workforce member left an unencrypted laptop in an unlocked vehicle overnight: Stolen laptops are a common problem. It is one of the most common client breach related issues we deal with. The Advocate Health settlement is not the first time the OCR has entered into a large settlement with an entity for failing to appropriately secure laptops, and it will not be the last. Encryption is your best defense against these incidents.
As mentioned previously, many of Advocate Health’s breaches stemmed from failures dating back to 2013. The fact that Advocate Health permitted violations of the HIPAA Rule to persist contributed to the large settlement amount (in some instances violations date back to the effective date of the HIPAA Security Rule). In addition to the OCR $5.5 million settlement, the Illinois Attorney General is conducting its own parallel investigation, which will likely increase the total amount Advocate Health will eventually shell out for failing comply with HIPAA—a definite knockout.