Advocate Health Care Network, a Chicago area hospital and clinic management group, had some very bad luck in 2013. Someone stole four unencrypted laptop computers from one of its subsidiary branches. The laptops contained nearly 4 million electronic personal health information (ePHI) records. Worse yet, the records were not encrypted.
In yet another incident, an employee left a laptop in an unattended personal vehicle. Someone stole it along with its more than 2,200 records.
Breaches compounded by a business associate
The aforementioned breaches were worsened by another reported incident at Advocate’s business associate, Blackhawk Consulting Group, which handled Advocate’s billing. Blackhawk was the victim of unauthorized network access, which compromised more than 2,000 additional Advocate patient records.
HHS took a dim view
Advocate Health Care reported these incidents, investigated them, and had no choice but to wait for the hammer to fall. The Department of Health and Human Services, HHS, determined that Advocate had failed to:
- Conduct the necessary risk analysis incorporating all its facilities
- Write and enforce policies limiting physical access to its electronic systems
- Reasonably protect the nearly 4 million electronic health records at the support center and on the premises of Blackhawk where the data breach occurred
- Obtain and execute the necessary assurances “in the form of a written business associate contract” from their associate, Blackhawk Consultants (including the necessary assurances that Blackhawk would protect those records)
Advocate, as a “covered entity” under HIPAA, and under the provisions of various sections of 45 CFR, was required to do each of these items. Had they complied, they could have avoided the hefty $5.5 million penalty, euphemistically termed the “Resolution Amount.”
CAP accompanied penalty
Along with the $5.5 million payment, Advocate was required to follow a rigorous and detailed corrective action plan, or CAP. The CAP for Advocate is a detailed, 17-page Appendix to the agreement, which should be required reading for any covered entity as a road map to complying with HIPAA.
The CAP terms summarized
Under the terms and conditions of the CAP, among other things, Advocate must do the following:
- Conduct a comprehensive and thorough risk analysis incorporating all its facilities. Among other things, this includes making a complete inventory of all facilities, electronic equipment and data systems, and software applications used by any Advocate entity.
- Develop and implement a Risk Management Plan designed to mitigate security risks identified in the aforementioned risk analysis.
- Come up with a written process that regularly evaluates company operation changes affecting health records security. This includes “any environmental or operational changes that affect the (records) security… including Advocate’s acquisition of new entities.”
- Devise a plan to encrypt the health record data. This includes a report of every electronic device (from computers and mobile devices down to USB drives) along with evidence that the data contained thereon has been encrypted.
- Look at and revise, if necessary, their policies and procedures on controlling devices and media.
- Tighten up policies and procedures on access to facilities and electronic information.
- Review and revise their policies and procedures regarding business associates. This includes executing the aforementioned business associate agreement ensuring the associate is aware of its covered entity responsibilities under HIPAA.
- Improve and update its employee training program. Among other things, this includes general instruction on HIPAA compliance.
- Send HHS an internal monitoring plan, “a written description of Advocate’s plan to monitor internally its compliance with this CAP.”
Are you ready for an HIPAA audit? Phase 2 is underway. Apex is the trusted choice when it comes to staying ahead of the latest information HIPAA developments, technology tips, tricks and news. Contact us at (800) 310-2739 or send us an email at firstname.lastname@example.org for more information.