More on Compliance & Legal

Advocate Health Care agrees to $5.5 million HIPAA violation settlement

Settlement is the largest in history against a single entity, HHS Office for Civil Rights says.

Beth Jones Sanborn, Managing Editor

Hospital in Chicago, IL-part of Advocate network. Photo by Advocate Health

Advocate Health Care Network will pay $5.5 million to settle with the Department of Health and Human Services Office for Civil Rights regarding multiple potential HIPAA violations that involved electronic protected health information, HHS announced.

OCR started investigating Advocate back in 2013 following Advocate's submission of three breach notification reports. The reports related to separate incidents involving Advocate's subsidiary Advocate Medical Group. The breaches affected the protected information of roughly 4 million people. According to OCR, The compromised information included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth.

[Also: Almost 30 percent of hospitals out of compliance with HIPAA requirements for contingency plans for their EHRs]

Upon investigating the breach incidents, OCR said they found Advocate had failed on several fronts. First, they did not conduct an "accurate and thorough assessment" of the possible risks and vulnerabilities to it's protected health information. Second, OCR found they had failed to put policies, procedures and access controls in place to limit physical access to electronic information systems housed within their data support center. Third, Advocate did not obtain "satisfactory assurances" i.e. a written business associate contract that said associate would keep safe all protected information in their possession. Finally, OCR found that Advocate failed to "reasonably safeguard" an unencrypted laptop that had been left in an unlocked vehicle overnight.

[Also: NorthShore University Health System, Advocate Health Care face FTC grilling over proposed Chicago merger]

"We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' ePHI is secure," said OCR Director Jocelyn Samuels. "This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level."

"Protecting the privacy and confidentiality of our patients while delivering the highest level of care and service are our top priorities. As all industries deal with the ever-evolving digital landscape and the impact it has on security, we've enhanced our data encryption measures to prevent this type of incident from reoccurring. While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients. We continue to cooperate fully with the government to advance our patient privacy protection efforts," Advocate said in a statement.

Advocate Health Care Network is the largest fully-integrated health care system in Illinois, with more than 250 treatment locations, including ten acute-care hospitals and two integrated children's hospitals. Advocate Medical Group is a nonprofit physician-led medical group that provides primary care, medical imaging, outpatient and specialty services throughout the Chicago area and in Bloomington-Normal, Illinois.

Twitter: @BethJSanborn