HHS Announces $5.55 Million HIPAA Settlement - The Largest To-Date with a Single Entity

Posted by Adam Freed on Tuesday, August 16, 2016

Earlier this month, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced its largest settlement to-date involving a single entity for potential violations of the Health Insurance Portability and Accountability Act, or HIPAA.  Under the settlement, Advocate Health Care Network in Illinois agreed to pay $5.55 million and to adopt a rigorous corrective action plan involving a comprehensive risk analysis, risk management plan, training, and oversight by an independent third-party compliance assessor. 

Over a three-month period in 2013, Advocate Health Care Network submitted three breach notification reports to OCR.  The first breach notification involved one of Advocate’s subsidiaries and arose from the theft of four desktop computers containing electronic protected health information of approximately 4 million individuals.  The second breach notification involved a business associate of Advocate that provides billing services and arose when an unauthorized third party accessed the business associate’s networks, potentially compromising the electronic protected health information of over 2,000 individuals.  The third breach notification involved the theft of an unencrypted laptop computer containing the electronic protected health information of over 2,200 individuals. 

In its settlement, OCR noted that Advocate, among other things, “failed to conduct an accurate and thorough risk analysis,” “failed to implement policies and procedures to limit physical access to its electronic information systems,” and failed to have a satisfactory business associate agreement with its business associate to require the business associate to safeguard electronic protected health information in its possession.   

This case highlights the importance of conducting a thorough risk analysis and implementing a comprehensive HIPAA compliance plan.  Health care providers and anyone else who creates, receives, or transmits electronic protected health information must take very seriously their obligations under HIPAA as the potential liability resulting from noncompliance can be significant. 

You can read the full settlement agreement with OCR http://www.hhs.gov/sites/default/files/Advocate_racap.pdf.