Reasons for Big Fine
Privacy attorney Kirk Nahra of the law firm Wiley Rein says that while the settlement appears to focus on compliance issues, such as failure to conduct risk analysis, that are frequently highlighted by the enforcement agency, the OCR breach investigations likely uncovered egregious violations.
“OCR is – and has been historically – both reasonable and knowledgeable,” he says. “They seem to know when people are trying hard and when they are not. Going through their cases – and I don’t see anything here to indicate this [Advocate case] is different – ‘extent and duration’ matters a lot, as does not fixing existing problems.”
Privacy attorney David Holtzman, vice president of compliance at the security consultancy CynergisTek, says every OCR resolution agreement is a negotiated settlement in which any number of factors can influence the outcome. “A significant factor in the size of the payment to settle the allegations with OCR is the length of time in which OCR found that Advocate had not met the requirements of the HIPAA Security Rule, as well as their apparent ample financial resources allowing them to absorb the cost of such a penalty,” he says.
“What I see as important are the allegations that Advocate health system had not met the HIPAA Security Rule requirements established in 2005 to perform an enterprisewide information security risk assessment or put into place a program designed to reasonably safeguard protected health information across its organization,” Holtzman says.
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says the settlement offers important lessons: “The top three takeaways for me from this settlement are: The bigger the entity, the bigger the settlement, with OCR steadily increasing the settlement amount it is seeking to impose on large covered entities; covered entities have had over a decade to come into compliance with the HIPAA Security Rule; … and OCR continues to focus on the importance of a risk analysis.”
OCR’s 10th Settlement This Year
The settlement with Advocate is OCR’s tenth enforcement action so far in 2016, keeping the agency on a roll in issuing a record number of HIPAA enforcement actions (see 2016 Watershed Year for HIPAA Enforcement).
This latest fine brings the total penalties levied by OCR this year to about $20.5 million, more than in any previous year.
“At this point, we have a record number of settlements in 2016, and a record-breaking settlement amount, with over four months remaining in the year,” Greene notes. “I expect that we will continue to see an increased number of settlements over the coming years, although there may be a lull in the beginning of 2017 as the administration changes.”
Nahra adds: “You could certainly read into the last few months of HIPAA activity and say both that the pace of enforcement is increasing and that OCR is being less tolerant of significant violations. I don’t see any overall change at the biggest picture level – they still tend to be reasonable, and appreciate strong efforts at compliance, even if something doesn’t work.”
The message to HIPAA covered entities and business associates from the latest enforcement activities, Nahra says, is: “OCR is out there, is active, and can tell if you aren’t doing a good job. It makes sense to re-evaluate and re-examine your compliance approach, even if you haven’t had real problems before.”
The Three Breaches
The three Advocate breaches exposed a variety of demographic, clinical and health insurance information, as well as credit card numbers. The largest of the incidents involved the theft of four unencrypted computers in July 2013 from an office of Advocate Medical Group in Illinois.
OCR notes that the two other breaches reported in 2013 leading to the settlement included:
- A breach involving Blackhawk Consulting Group, a business associate which provides billing services to Advocate. Advocate reported that the ePHI of 2,027 patients had been potentially compromised when an unauthorized third party accessed Blackhawk’s network.
- The theft of an unencrypted laptop containing the ePHI of approximately 2,237 individuals from an Advocate workforce member’s vehicle.
OCR says the investigations into the three incidents revealed that Advocate failed to:
- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI;
- Implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;
- Obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession;
- Reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.
Corrective Actions Mandated
As part of the resolution agreement, Advocate has agreed to a corrective action plan that calls for:
- Conducting a comprehensive and thorough risk analysis and implementing a risk management plan;
- Implementing processes for evaluating environmental and operational changes that affect the security of ePHI in Advocate’s possession or control;
- Developing a report on its encryption status;
- Revising policies and procedures on device and media controls as well as limiting physical access to all of its electronic information;
- Revising policies and procedures related to business associates; and
- Developing an enhanced privacy and security awareness training program.
In a statement provided to Information Security Media Group, Advocate says: “Protecting the privacy and confidentiality of our patients while delivering the highest level of care and service are our top priorities. As all industries deal with the ever-evolving digital landscape and the impact it has on security, we’ve enhanced our data encryption measures to prevent this type of incident from reoccurring. While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients. We continue to cooperate fully with the government to advance our patient privacy protection efforts.”
While OCR hit Advocate hard in its enforcement action, an Illinois appellate court in August 2015 upheld the dismissal of two breach-related lawsuits filed against the health system (seeAdvocate Health Ruling: The Impact) .