Latest HIPAA Settlements Focus on ePHI Protection

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) just announced the settlement of two new HIPAA cases. The result for one of those cases was a record-setting single settlement of $5.55 million. The new settlements are meant to “send a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure.” It’s clear that the OCR is taking a stronger stance on its enforcement actions.

A Record-Setting HIPAA Settlement

Advocate Health Care Network has agreed to a settlement with the OCR for multiple potential violations of HIPAA involving ePHI. This settlement breaks records at $5.55 million, in addition to a corrective action plan. The OCR press release notes the reasoning behind such a large settlement:

“This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country. "

The settlement relates to three distinct breach reports involving its subsidiary, Advocate Medical Group, in 2013. The investigation found many shortcomings, including:

• A failure to conduct risk assessments
• Lack of policies and procedures to limit the physical access to data
• Lack of contracted safeguards with business associates
• A series of failures which resulted in the loss of an unencrypted laptop in an unlocked vehicle

The second settlement announced this week is with the University of Mississippi Medical Center. This $2.75 million settlement stems from several potential violations, including a failure to:

• Implement policies and procedures to prevent, detect, contain and correct security violations
• Implement data access controls
• Track ePHI and failures to notify all affected individuals following a breach

In this particular case, the OCR found that the University of Mississippi Medical Center failed to address known vulnerabilities in its systems, “due largely to organizational deficiencies and insufficient institutional oversight.”

The Push for More Accountablity

As JD Supra notes, the OCR has moved beyond education to focusing on stronger enforcement and accountability:

 “Big-dollar settlements and highly-detailed corrective action plans (CAP) are becoming the new normal.”

Earlier this summer, HIPAA announced its first resolution with a business associate, which was among the first resolutions to also place a value on the loss of a mobile device. These new settlements re-enforce the growing trend of steep HIPAA penalties.

As part of the detailed CAPs laid out for these settlements, the OCR is now requiring a detailed encryption report, with total devices used to access, store, download or transmit ePHI. Having the ability to quickly assess, monitor and report on encryption status is a huge benefit to meeting these expectations for HIPAA compliance.