The Office for Civil Rights (OCR) has assessed the largest settlement amount to date against Advocate Health Care Network . The OCR fined Advocate $ 5.55 Million for multiple potential violations of the HIPAA Security Rule.
The investigations that eventually led to the fine were initiated in 2013 after three successive self-reported data breaches by Advocate. Two of the three were related to a Business Associate of Advocate. OCR stated, “This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country.”
The press release and a link to the settlement agreement can be found here. Note that the link to the source document, the settlement agreement itself, stopped functioning a few hours after the press release went out. Please see: http://www.hhs.gov/about/news/2016/08/04/advocate-health-care-settles-potential-hipaa-penalties-555-million.html
This settlement reinforces the importance of including all of an organization’s PHI in its risk analysis process, and a review and inclusion of all Business Associates and Business Associate Agreements.