Advocate Health's Dubious Honor: Paying the Largest HIPAA Penalty to Date


The Business Advisor - Special Healthcare Alert

August 10, 2016

2015 was the year of the healthcare hack. Hacks of Anthem, Premera Blue Cross, Excellus BlueCross BlueShield, UCLA Health, and Medical Informatics Engineering compromised the electronic Protected Health Information (“ePHI”) of more than 110 million people. However, even “low tech” breaches of ePHI can affect millions of people.

In 2013, Advocate Health Care Network (“Advocate”) in Illinois experienced three separate breaches of ePHI. Advocate’s electronic records were not hacked, however. The most serious breach resulted from the theft of four unencrypted laptops during a break-in at an Advocate facility. That theft compromised the ePHI of almost four million people. A second breach also resulted from the theft of an unencrypted laptop. A laptop containing the ePHI of approximately 2,000 people was stolen from an employee’s unlocked car. The third breach, also involving the ePHI of approximately 2,000 people, resulted from the unauthorized access by a third party of ePHI in the possession of a business associate of Advocate. Because each breach involved more than 500 people, Advocate submitted three separate breach notification reports to the United States Department of Health and Human Services (HHS) between August 23, 2013 and November 1, 2013, thereby triggering three HIPAA investigations by HHS.

Advocate also notified the impacted individuals of the breaches, as well as the local media, because the breaches impacted more than 500 people in the same jurisdiction. Needless to say, the Advocate breaches attracted significant media attention and, quite predictably, generated class action litigation against Advocate. Advocate has obtained dismissals of many of the claims asserted in those class actions but has not been as lucky with HHS. Advocate now holds the dubious honor of having paid the largest penalty to settle a HIPAA breach claim with HHS. Advocate’s $5.55 million penalty broke the prior $4.8 million record set in a settlement of HIPAA claims between HHS and New York Presbyterian Hospital and Columbia University.

In addition to paying the $5.55 million penalty, Advocate has entered into a Resolution Agreement and a Corrective Action Plan (“Advocate CAP”) with HHS, which can be found here, together with HHS’s press release. Like most CAPs, the Advocate CAP requires the company to develop and conduct a security risk analysis and to develop and implement: (a) a risk management plan; (b) a plan to evaluate the impact of environmental and operational changes at Advocate on data security; and (c) a plan to improve data privacy and security training. Advocate must present those plans (together with its data privacy and security training materials) to HHS for review, comment, and modification to reflect any comments by HHS. Reflecting the specific nature of the Advocate breaches, Advocate must also periodically review and, if necessary, revise its HIPAA policies governing: (i) device and media controls; (ii) physical access to its facilities; and (iii) its relationships with its business associates. Those policies must also be submitted to HHS for review, comment, and amendment to reflect HHS’s comments. In addition, the Advocate CAP imposes extensive reporting requirements on Advocate, including an initial implementation report, annual compliance reports, and prompt reporting of HIPAA breaches to HHS.

Reflecting HHS’s continuing emphasis on encrypting ePHI, the Advocate CAP requires Advocate to develop and submit to HHS for approval a written report addressing its encryption status. That report must include: (i) the total number of devices and pieces of equipment owned by Advocate, including desktop computers, laptops, tablets, mobile phones, USB drives, and medical equipment, that can be used to access, store, download, or transmit ePHI (collectively, “Devices”); (ii) the total number of Devices that are encrypted (as well as evidence of encryption); and (iii) an explanation of why the remaining Devices are not encrypted. Like the HIPAA Security Rule (see 45 CFR § 164.302, et seq.), the Advocate CAP does not actually require encryption but places the burden on Advocate to justify leaving any of its Devices unencrypted. It appears, therefore, that HHS is continuing to move closer to a de facto, if not de jure, requirement that devices and equipment that access, store, download, or transmit ePHI be encrypted.

Advocate must also retain at its own expense a business partner in the form of an independent “assessor.” The assessor will monitor Advocate’s compliance with the Advocate CAP during its entire term.1 Although chosen by Advocate, the assessor must be approved by HHS. The assessor must submit to HHS for review and approval an initial plan for monitoring Advocate’s compliance efforts, which must be reviewed and, if necessary, revised annually. The assessor is provided with powerful tools to monitor Advocate’s compliance efforts, including the authority to conduct unannounced inspections of Advocate facilities. The assessor must meet quarterly with Advocate’s Security Officer, report any violations of the Advocate CAP to HHS, and submit annual reports to HHS to which Advocate may respond. The assessor can be removed only for cause and then only with HHS’s approval. HHS can require the termination of an assessor who lacks the requisite expertise, independence, or objectivity to perform his or her monitoring duties.

Advocate’s compliance with the Advocate CAP is crucial. A breach could undo the settlement between Advocate and HHS and result in the imposition of a civil monetary penalty. Because the Advocate breaches impacted almost four million people and, in some cases, dated back to the inception of the HIPAA Privacy Rule (see 45 CFR §§ 164.500, et seq.) in 2003, a civil penalty in the tens of millions of dollars would be possible. See 45 CFR § 160.404(b)(2). The Advocate HIPAA penalty reflects the increased HIPAA enforcement activity by HHS in 2016, during which HIPAA has recovered to date $20.4 million in penalties and is thereby far outpacing its recoveries in prior years. It remains to be seen how much hacked entities like Anthem (80 million people affected) might have to pay to settle with HHS, especially because, in many cases, the hacking commenced months or years before discovery.

Please contact the author at either or (973) 596-4523 with any questions you might have concerning the issues discussed in this Alert.

Based on the schedule for the various actions required thereby, it is anticipated that the Advocate CAP will remain in effect for three years.