This week, the HHS’ Office for Civil Rights announced it has issued the largest ever HIPAA penalty to a single covered entity. Advocate Health will pay a penalty of $5.55 million to OCR to settle the case, which involved multiple potential HIPAA violations some of which spanned several years. OCR reports that some violations of the Health Insurance Portability and Accountability Act date back to when the HIPAA Security Rule was first introduced.
OCR conducted an investigation into Advocate Health after receiving three breach notifications, one of which related to a breach of more than 4 million patient records. The data breaches occurred in quick succession. OCR was notified of the breaches on August 23, September 13, and November 1.
The first and largest breach was first thought to have impacted 4,029,530 patients, although the breach was later determined to have involved the exposure of 3,994,175 individuals’ ePHI. The data were exposed as a result of the theft of four desktop computers from Advocate Health’s administrative offices in Touhy Avenue in Park Ridge, Illinois on July 15, 2013.
The second breach occurred when a business associate of Advocate Health discovered that an unauthorized third party had gained access to a network server containing the ePHI of 2,027 individuals. The third breach was caused when a laptop computer containing the ePHI of 2,237 individuals was stolen from the vehicle of an Advocate Health employee. The unencrypted laptop had been left overnight in a vehicle which had been left unlocked.
The OCR investigation revealed numerous violations of HIPAA Rules. OCR discovered that Advocate Health had failed to conduct an accurate and through organization-wide risk analysis on all systems and technology that contacted ePHI. The theft of the desktop computers could potentially have been avoided had adequate physical controls been implemented at the Park Ridge data support center. OCR investigators determined that inadequate controls had been put in place to safeguard ePHI at the Park Ridge center.
The second breach was also determined to have involved a violation of HIPAA Rules. OCR maintained that Advocate Health failed to receive satisfactory assurances from its business associate – Blackhawk Consulting Group, a provider of billing services – that the ePHI of patients would be adequately safeguarded. HIPAA requires a written business associate agreement to be signed by all business associates prior to ePHI being provided. The BAA should detail the responsibilities of the BA with respect to ePHI. The lack of a HIPAA-compliant business associate agreement meant Advocate Health impermissibly disclosed the ePHI of 2,027 individuals to Blackhawk.
Relating to the third breach, OCR determined that the Advocate Health employee failed to ensure that ePHI was appropriately protected.
This was the largest ever HIPAA penalty for a single covered entity, beating the previous record of $3.5 million paid by Triple S Management Corporation in 2015. This settlement may hold the record for the largest ever HIPAA penalty, but it is unlikely that the record will be held for very long.