Key Takeaways from OCR’s Resolution Agreement with Advocate Health Care

On August 4, 2016, the Office of Civil Rights announced a resolution agreement with Advocate Health System, the largest health system in the state of Illinois, which included a $5.5 million civil monetary penalty.

The fine is the largest to date of any single entity by OCR.

The agreement was the result of three breaches that Advocate reported between August 23rd and November 1st, 2013, which compromised the privacy of 4 million patients.

The First Breach (and the largest): The theft of four desktop computers on July 15th, 2013 from the offices of Advocate Medical Group (AMG), the ambulatory clinic operation of Advocate. The desktops contained the ePHI of over 4 million patients.

The Second Breach: The unauthorized intrusion into the network of a business associate of AMG, Blackhawk Consulting Group, a billing contractor.

The Third Breach: The theft of an unencrypted laptop containing the ePHI of 2,237 individuals. Again, it was an AMG employee’s laptop.

Lessons We Can Learn From Advocates Experience: The Resolution Agreement Spells It Out

1. Conduct a thorough risk analysis. It’s impossible to overemphasize the importance of this first lesson. Risk analysis is the cornerstone of your information security program. You need to conduct a risk analysis and it needs to be sufficient in scope to identify and document the “risks and vulnerabilities…of ePHI held by the covered entity” (§ 164.308(a)(1)(ii)(A)). ALL OF IT. The language of the Advocate resolution agreement implies that there was risk analysis but that the risk analysis was not sufficient in scope. The risk analysis failed to incorporate “all of its facilities, information technology equipment, applications and data systems utilizing ePHI.” It’s speculation but maybe the AMG operations were not included within the scope of its risk analysis. I’ve observed this problem before in my own consulting practice.

2. Put a risk management plan into place from the findings of your risk analysis. Covered entities have an obligation not to just identify and document risks but to mitigate them to a reasonable and appropriate level (§ 164.308(a)(1)(ii)(B)). The risk management plan is the required process and document to manage these risks. A risk management plan should rank risks according to severity as well as prioritize the controls that should be put into place to mitigate those risks. The risk management plan is a “living document” that should be updated when controls are implemented or when an information security incident indicates that new controls are needed. It should document the status of recommended controls (approved, under review, rejected, etc.) and a timeline for their implementation.

3. Ensure your risk analysis includes the physical security of your IT assets. There is a whole category of HIPAA rules focused on physical security (See 45 C.F.R. § 164.310) and a whole standard dedicated to facility security (See § 164.310(a)(1)) and one implementation specification for a “Facility Security Plan” (See § 164.310(a)(2)(ii)). At first glance, physical security seems like it should be easy. A formal security plan should consider whether physical security controls such as key-only, proximity card entry, and other access controls are sufficient to protect physical assets like workstations. The plan should also consider the sufficiency of monitoring solutions such as video cameras, device tracking, etc. A more robust plan should consider factors such as how data is delivered to a workstation (virtualized vs client/server), the location of assets, and whether they are located in a public or semi-public area, a private, employee only “sterile” area or in a highly secure data center. Enterprises should consider more extensive use of virtual desktop or thin-client environments to minimize the amount of data stored on workstations.

4. Know who your business Associates are and provide a reasonable level of oversight of your BA’s use of ePHI. AMG did not have a Business Associates Agreement (BAA) in place with Blackhawk. Failure to have a BAA in place for such an obvious business associate who was clearly handling a significant volume of ePHI was indeed a failure. A business associate is not determined by whether a BAA is in place but by the nature of the work that the vendor is doing. Blackhawk was a Business Associate because they handled the PHI of Advocate. Advocate did not have a BAA in place as required by the regulations (§ 164.308(b)(4)). Covered entities need to go to the pains to:

  • Identify their business associates
  • Document who their business associates are including a description of what and how the business associate handles PHI
  • Covered entities should put into place reasonable mechanisms to oversee the handling of PHI by its business associates, especially if the vendor provides mission critical functions to the covered entity or the vendor is handling large quantities of sensitive patient information.

5. The scope of your risk analysis should include an “encryption report.” Encryption is an addressable safeguard of the regulations which means that it must be implemented if “reasonable and appropriate.” Covered entities have a positive responsibility to determine and document whether it’s reasonable and appropriate to encrypt a particular asset or class of assets. Factors that should be considered in such an analysis:

  • Whether an asset accesses, stores, downloads or transmits ePHI
  • If the device stores ePHI, how much does it store?
  • Is the physical security of the asset sufficient (see #2)?
  • How does encryption of the asset affect performance?
  • Are there alternatives to encryption that could be implemented such as virtualization or use of thin-client devices. Generally, it’s reasonable and appropriate for all portable devices storing ePHI, such as laptops, to be encrypted.

It’s worth noting that there’s some interesting overlap between the resolution agreement and the recent guidance from OCR on the HIPAA audit program. The end-point of the audit process is to determine whether an entity has sufficient documentation to demonstrate its compliance and whether that documentation supports a finding of compliance. Of the seven areas of focus of the OCR audit program, two are called out as the key issues of the Advocate Resolution Agreement and Correction Action Plan: Risk Analysis and Risk Management. Advocate failed in both areas. I suspect that the findings of the audit program will show that a high percentage of entities failed in these areas as well.

Questions or Comments?