Federal regulators announced last week that Illinois’ largest hospital chain would pay $5.5 million, a record payment under the Health Insurance Portability and Accountability Act (HIPAA), in connection with three 2013 data breaches that affected the protected health information of millions of its patients. The Advocate Health Care Network, which manages twelve hospitals and hundreds of satellite offices, agreed to the settlement after the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) determined that Advocate did not properly limit access to electronic systems nor adequately assess risks of its electronically held PHI.
The breaches resulted from three separate incidents: (1) the theft of four laptop computers from an office building; (2) unauthorized access into a business associate’s computer network and (3) the theft of an unencrypted computer from an employee’s unlocked vehicle. Approximately four million individuals were affected.
In addition to the monetary payment, Advocate agreed to a number of security improvements including a risk analysis for ePHI, adopting a plan for managing security risks and expanded HIPAA training. In a statement after reports of the settlement, Advocate noted that there has been no indication that any of the acquired PHI was misused.
The settlement is further evidence of the OCR’s efforts to ramp up audits to gauge HIPAA compliance and enforce violations where they exist. To date, 2016 HIPAA settlements total $20.4 million, which already far exceeds the annual record of $7.9 million in 2014. In light of OCR’s enforcement efforts, health plans, providers and other covered entities will want to be vigilant in their HIPAA compliance by, among other things, engaging in a comprehensive risk analysis and risk management to ensure that individuals’ PHI is secure.