Fannie Fang
Executive Editor
Loyola University Chicago School of Law, JD 2017
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently agreed to a settlement with Advocate Health Care Network (Advocate), the largest health systems in the Chicago area. In the settlement, Advocate agreed to pay a sum of $5.55 million monetary damages and to implement corrective actions for allegedly violating the Health Insurance Portability and Accountability Act (HIPAA). This settlement is significant in that it is considered to be the highest single health care entity settlement to date.
Initial Investigation
In 2013, OCR began an investigation as a response to three breach notification reports from a subsidiary of Advocate. The subsidiary, Advocate Medical Group (“AMG”), is a nonprofit medical group in Illinois. The breaches affected the electronically protected health information (“ePHI”) and comprised highly confidential data including beneficiaries’ demographic, clinical, and health insurance information.
During the investigation, OCR alleged that Advocate failed to meet their due diligence in implementing the appropriate security measures and as a result, OCR believes Advocate was not able to assess its potential risks and vulnerabilities to a breach of ePHI. Advocate agreed to settle for $5.55 million with OCR. In calculating the settlement amount, OCR took into the extent and duration of the alleged noncompliance, the involvement of the State Attorney General in the investigation, and the significant number of individuals who were affected.
In addition to the monetary settlement, Advocate also entered into a “Resolution Agreement” with OCR. In the Resolution Agreement, OCR provided a list of reasons why Advocate was in noncompliance and they primarily came from the three breach notification reports that were submitted to HHS by Advocate. Read the Resolution Agreement here.
The first report was submitted in August of 2013, where four desktop computers containing ePHI were stolen from AMG. A month later, Advocate issued another report, but this time it was related to a business associate called Blackhawk Consulting Group (Blackhawk), who handled most of AMG’s billing services. The last report was issued just three months thereafter, when an unencrypted laptop was stolen from an AMG member’s vehicle.
The investigation of each report alleged that Advocate 1) failed to conduct accurate and thorough risk analysis that incorporates all of its facilities, equipment, and data systems that utilize ePHI, 2) failed to implement policies and procedures that limit physical access to electronic information systems, 3) failed to obtain assurances from its business associate, Blackhawk, that Blackhawk would properly safeguard all of Advocate’s confidential information, 4) impermissibly disclosed the ePHI to Blackhawk when it failed to obtain assurances in the form of a business associate contract, and lastly 5) failed to safeguard this information when an AMG member left an unencrypted laptop in an unlocked vehicle overnight.
Correction Response to the Settlement
OCR and Advocate agreed to a “Corrective Action Plan” (CAP). In the CAP, which has a two-years duration, Advocate promised to take corrective actions ranging from modifying existing risk analysis to developing policies and procedures to implement the proper security measures.
In detail, Advocate agreed to undertake a plan where Advocate will complete an inventory to keep track of all the facilities, electronic equipment and data systems that store ePHI. Next, Advocate will conduct comprehensive and detailed risk analysis to identify all the potential risks to the confidentiality, integrity, and availability of any ePHI. In addition, Advocate also planned to develop a Risk Management Plan to address the relevant security risks and vulnerabilities found in the Risk Analysis. CAP will include a timeline thus allowing Advocate to create evaluations and revision of its risk remediation activities accordingly. Meanwhile, Advocate planned to develop a written process that frequently evaluates environmental and operational changes that will likely affect the security of ePHI. Advocate agreed to submit a report to HHS regarding their encryption states, including but not limited to, the total number of all devices and equipment that are encrypted and proper explanation for the devices that are not encrypted. Furthermore, Advocate will review and revise its policies and procedures on a regularly basis and assess current and future business relationships involving a business association while limiting disclosures of ePHI to the business associates. Lastly, Advocate will begin to provide frequent HIPAA training to all of its employees who have access to ePHI. Read the Corrective Action Plan here.
Message Behind This Settlement
It appears that OCR hopes to use this settlement to send a message to all the other health care entities that a comprehensive risk analysis along with a detailed risk management plan are imperative to ensure every entity is in full compliance with HIPAA. In doing so, OCR is pushing for an increase of adequate physical, technical, and administration security measures to reduce the risks to ePHI.