The Office of Civil Rights (OCR) has announced its latest and largest HIPAA settlement to date. Advocate Health Care will pay a settlement amount of $5.55 million and adopt a corrective action plan to bring a lengthy OCR investigation to an end. In 2013, the Illinois-based health system first notified OCR of the theft of four unencrypted desktop computers, collectively housing the PHI of roughly 4 million individuals. Shortly after the start of OCR’s investigation, Advocate also reported two additional unauthorized disclosures of PHI affecting 4,000 individuals. OCR found that Advocate failed to conduct accurate risk assessments, obtain business associate agreements, implement appropriate policies and procedures, and reasonably safeguard a portable device.
After avoiding a number of class action suits arising from the breach, Advocate also awaits the conclusion of a separate investigation conducted by the Illinois Attorney General. Advocate’s breach remains the eighth largest health data breach on record.
The resolution agreement can be viewed here.
Justin A. Pope, JD
Associate Risk Manager
Justin Pope joined PRMS in 2014. Mr. Pope is responsible for researching emerging legal issues, creating online risk management content, and providing advice to individual providers through the Risk Management Consultation Service.
As a law student, he focused primarily on international, administrative, and food law. During his final year at Howard, Mr. Pope gained additional insight into the FDA’s regulatory process while serving as a research assistant to his professor. He has also interned as a legal assistant for both the Ft. Monroe Garrison Office of the Staff Judge Advocate and the Office of the Naval Inspector General, opining on a variety of legal issues, including privacy law. Mr. Pope received his Bachelor of Arts degree in International Affairs from the University of Virginia and his Juris Doctor degree from the Howard University School of Law.