HIPAA Non-Compliance Results in Largest Single-Entity Settlement to Date

On August 4, 2016, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) entered into a settlement agreement with Advocate Health Care Center (Advocate) in which Advocate agreed to pay $5.5 million to settle multiple violations of the Health Insurance Portability and Accountability Act (HIPAA).  This is the largest HIPAA settlement against a single entity to date, and according to OCR, is due to the severity of the violations and the length of time that those violations continued.

According to OCR’s press release, OCR began its investigation of Advocate in 2013, after Advocate submitted three breach notification reports relating to three separate instances of breach of unsecured electronic protected health information (ePHI).  The combined breaches resulted in unsecured access to over four million patients’ information.

OCR’s investigation revealed that Advocate failed to:

1. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI;
2. Implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;
3. Obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and
4. Reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

In addition to the $5.5 million settlement, Advocate entered into a two-year corrective action plan with OCR.  The plan can be a useful guide for covered entities to see the type of HIPAA compliance efforts expected by OCR.  Read the full corrective action plan here.

This settlement highlights the harsh consequences that come with HIPAA non-compliance.  Director Jocelyn Samuels made the following statement in the OCR press release: “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ electronic protected health information is secure.”  Clearly, all covered entities should be certain that the necessary steps are taken to ensure their HIPAA compliance programs effectively protect all protected health information and avert potentially crippling penalties from being imposed against them.

Posted by Attorney Katherine M. Flett. Flett is a member of the litigation team whose primary focus is on assisting clients in insurance defense, business litigation, employment law, and bankruptcy matters.