Record $5.5 Million HIPAA Data Security Settlement: Lessons Learned
On August 4, 2016, the Department of Health and Human Services, Office of Civil Rights (OCR) announced that Advocate Health Care Network, Illinois’ largest hospital chain, agreed to pay $5.5 million to resolve multiple alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). This settlement is the largest HIPAA-related settlement in OCR history, and comprises more than a quarter of the nearly $20 million that the government has collected in HIPAA-related enforcement actions in 2016 alone. This amount is likely to grow as the government continues its aggressive enforcement in this area and as increasingly complex cyber threats target health care entities and other repositories of valuable protected health information (PHI). Advocate’s experience demonstrates the potentially severe consequences of all-too-common HIPAA compliance shortfalls. Below, we offer practical suggestions for addressing and mitigating these compliance risks.
Advocate’s Alleged Exposure of Over 4 Million Patients’ ePHI
Advocate reported three separate data security breaches that resulted in unauthorized disclosure of the electronic PHI (ePHI) of over 4 million patients. According to OCR’s press release, the ePHI disclosed by these breaches included “demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth.”
Two breaches arose from physical theft; one from a hack. In the first incident, four desktop computers that contained unsecured ePHI were stolen from an Advocate administrative office building, resulting in exposure of nearly 4 million patients’ ePHI. OCR contended that Advocate “failed to implement policies and procedures to limit physical access to its electronic information systems housed within” the building. In the second, an unencrypted laptop was stolen from an Advocate employee’s unlocked car, where the laptop had been left overnight.
The third breach occurred when an unauthorized third party accessed the computer network of one of Advocate’s business associates, which provided billing services for one of Advocate’s subsidiaries.
A Record-Breaking Settlement
OCR investigated and alleged that Advocate had a long history of HIPAA non-compliance, including some continuing violations “dating back to the inception of the [HIPAA] Security Rule.” OCR also alleged that Advocate’s current risk management plan was deficient and failed to adequately safeguard the ePHI in its possession. Accordingly, in addition to the record-breaking payment, Advocate’s settlement with OCR also obligates it to implement a Corrective Action Plan (CAP). Pursuant to the CAP, Advocate will revise its risk analysis protocol and implement a new, enterprise-wide risk management plan; revise its access controls and encryption policies; and revise policies regarding business associate agreements. Ensuring that Advocate complies with the CAP will be an appointed “Assessor,” or internal monitor, which must be approved by OCR. Advocate will be subject to the CAP and the Assessor’s oversight for two years after the Department of Health and Human Services gives final approval to Advocate’s corrective action obligations.
Advocate’s experience shows how the actions of a single employee or business associate can jeopardize the security of many patients’ sensitive ePHI, as well as impose high financial and reputational costs on the health care organization. The following data security best practices can help to reduce these risks.
- Minimize risk of physical loss. As Advocate’s experience shows, not all losses and improper disclosures of PHI happen online; whether stored on a mobile device or a server or in a file room, PHI – both electronic and hard copy – is vulnerable to theft and inadvertent loss or destruction. Train employees to be mindful of their devices’ physical security and not to leave devices containing ePHI unsecured, i.e., in a car or hotel room.
- Restrict access. Limit physical access to locations where PHI is stored and to devices containing ePHI to only those with a legitimate need for access. Employees also should be trained to maintain strict physical security.
- Use encryption. As we have noted elsewhere, encryption and password protection provide an additional layer of security, which is especially important in cases of physical loss. Encrypt and/or password protect all devices that store ePHI, including laptops, smart phones, tablets, and non-mobile devices like desktop computers. In addition, files containing ePHI should themselves also be encrypted.
- Ensure business associates are HIPAA-compliant. Execute written agreements with business associates obligating them to safeguard ePHI in their possession before turning over any ePHI. OCR has stressed that these business associate agreements are a necessary part of HIPAA compliance and should be in place with potential as well as established business partners. Consider auditing business associates for HIPAA compliance.
- Be proactive and plan ahead. Consider retaining outside counsel or other compliance professionals to review HIPAA and data security policies and procedures and to conduct an internal audit of employee training and compliance. Have a breach response plan, practice that plan regularly, and perform regular testing of your network and physical security.