Advocate Health Care hit by $5.55M fine for HIPAA violations

Advocate Health Care, the largest delivery system in Illinois, on Thursday was hit with the largest fine ever levied on a healthcare organization charged with HIPAA violations.

The HHS Office for Civil Rights has fined Advocate $5.55 million. In announcing the punishment, OCR noted that the size of the penalty was “a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country.”

Jocelyn Samuels

In a statement timed with the announcement, OCR Director Jocelyn Samuels said, “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ electronic protected health information is secure.”

In 2013, Advocate submitted three breach notification reports involving separate incidents within its Advocate Medical Group subsidiary and affecting about 4 million individuals.

In its subsequent investigation, OCR found substantial deficiencies in how Advocate conducted risk assessments of electronic protected health information; how it implemented policies, procedures and facility access controls to limit access to electronic health records; how it oversaw the safeguarding of ePHI by business associates; and how it safeguarded an unencrypted laptop left in an unlocked vehicle overnight.

Under a corrective action plan, Advocate will conduct a comprehensive risk analysis of its ePHI; implement an enterprisewide risk management plan; regularly evaluate environmental or operational changes that affect ePHI security; submit a report on its encryption status along with explanations for devices and equipment not encrypted; develop an enhanced privacy and security awareness training program; submit a plan to monitor its compliance with the corrective action plan; and review and revise policies on device and media controls, facility access controls and business associates.

Advocate released the following statement on the agreement with OCR:

Protecting the privacy and confidentiality of our patients while delivering the highest level of care and service are our top priorities. As all industries deal with the ever-evolving digital landscape and the impact it has on security, we’ve enhanced our data encryption measures to prevent this type of incident from reoccurring. While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients. We continue to cooperate fully with the government to advance our patient privacy protection efforts.

For reprint and licensing requests for this article, click here.