The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently settled with Advocate Health Care Network (Advocate), one of the largest health systems in the country. Advocate agreed to pay $5.55 million and implement corrective actions for potentially violating the Health Insurance Portability and Accountability Act (HIPAA) in the highest single-entity settlement to date. OCR launched an investigation in 2013 following receipt of three electronic protected health information (ePHI) breach notification reports involving from Advocate’s subsidiary, a nonprofit physician-led medical group serving Illinois. The breach compromised ePHI belonging to roughly four million individuals and included demographic, clinical, and health insurance information.
OCR further found that Advocate failed to:
- Adequately assess potential risks and vulnerabilities to ePHI;
- Implement controls to restrict physical access to electronic information systems;
- Execute agreements to ensure that business associates would properly safeguard ePHI; and
- Secure unencrypted electronic devices containing ePHI.
Additionally, OCR recently launched an initiative to more widely investigate smaller HIPAA breaches involving the PHI of less than 500 individuals. OCR Regional Offices currently prioritize investigation of smaller breaches based on availability of resources. Beginning in August 2016, the Regional Offices will increase efforts to investigate smaller breaches by (1) addressing entity and systemic noncompliance; and (2) identifying and obtaining corrective action.
Regional Office investigations will examine the following factors:
- The extent of the breach;
- The improper removal of unencrypted PHI;
- Whether the breach involves hacking into IT systems;
- The amount, nature, and sensitivity of the PHI involved; and
- Whether multiple breach reports from the same covered entity or business associate involve similar issues.
The new initiative will allow OCR to better evaluate HIPAA programs, facilitate correction of deficiencies, and understand issues arising in HIPAA-regulated entities.