Insights: Alerts Largest Health & Human Services HIPAA Settlement Wake-Up Call for Covered Entities to Evaluate and Mitigate Risks
OCR started investigating Advocate in 2013 after Advocate notified OCR of three breaches. One breach involved four laptops stolen from an office building. A second breach concerned the unauthorized access of a computer network, and the third breach involved the theft of a computer from an employee’s vehicle. The potentially compromised information included a variety of protected health information such as patient names, addresses, health insurance information, credit card numbers, and clinical information.
The settlement is intended to scare entities subject to HIPAA into performing “a comprehensive risk analysis and risk management to ensure that individuals’ [electronic protected health information] is secure.” OCR further explained that covered entities must implement “physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
This settlement should serve as a wake-up call to all covered entities subject to HIPAA to assess and mitigate their risks by:
-- Evaluating risks and vulnerabilities of protected health information and establishing internal controls that address those risks and vulnerabilities;
-- Implementing controls that limit access to information systems with protected health information (including encryption meeting HIPAA breach rule standards for computers and mobile devices);
-- Ensuring business associates understand their obligations to safeguard protected health information; and
-- Implementing safeguards for transmitting and transporting protected health information.
By performing these housekeeping measures, entities handling protected health information may prevent or mitigate HIPAA violations. OCR’s settlement with Advocate sends a clear message that failing to comply could be an expensive proposition. And although HHS still limits its enforcement of breaches, the FTC has made it clear in LabMD that it will pursue the same covered entities and business associates for mere vulnerabilities in the absence of a breach.
For additional information or assistance in conducting a risk assessment, please contact one of the authors or your regular Kilpatrick Townsend contact.
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.