Advocate Health Care Network, a Chicago area hospital and clinic management group, had some very bad luck in 2013. Someone stole four unencrypted laptop computers from one of its subsidiary branches. The laptops contained nearly 4 million electronic personal health information (ePHI) records. Worse yet, the records were not encrypted.
In yet another incident, an employee left a laptop in an unattended personal vehicle. Someone stole it along with its more than 2,200 records.
Breaches compounded by a business associate
The aforementioned breaches were worsened by another reported incident at Advocate’s business associate, Blackhawk Consulting Group, which handled Advocate’s billing. Blackhawk was the victim of unauthorized network access, which compromised more than 2,000 additional Advocate patient records.
HHS took a dim view
Advocate Health Care reported these incidents, investigated them, and had no choice but to wait for the hammer to fall. The Department of Health and Human Services, HHS, determined that Advocate had failed to:
Advocate, as a “covered entity” under HIPAA, and under the provisions of various sections of 45 CFR, was required to do each of these items. Had they complied, they could have avoided the hefty $5.5 million penalty, euphemistically termed the “Resolution Amount.”
CAP accompanied penalty
Along with the $5.5 million payment, Advocate was required to follow a rigorous and detailed corrective action plan, or CAP. The CAP for Advocate is a detailed, 17-page Appendix to the agreement, which should be required reading for any covered entity as a road map to complying with HIPAA.
The CAP terms summarized
Under the terms and conditions of the CAP, among other things, Advocate must do the following:
Are you ready for an HIPAA audit? Phase 2 is underway. Network Heroes is the trusted choice when it comes to staying ahead of the latest information HIPAA developments, technology tips, tricks and news. Contact us at (844) 336-4376 or send us an email at email@example.com for more information.