One Beacon Street
Suite 1320
Boston, MA 02108

T 617.720.5090
F 617.720.5092


One Cedar Street
Suite 300
Providence, RI 02903
T 401.454.0400
F 401.454.0404

August 12, 2016

Hospital Chain Agrees To Record $5.5M HIPAA Settlement


Illinois hospital system Advocates Health Care Network recently agreed to a $5.55 million settlement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), after an investigation initiated in 2013 revealed that Advocates had insufficient security in place for protected health information. This is the largest settlement amount resulting from violations of the Health Insurance Portability and Accountability Act (HIPAA) to date. The OCR investigation was triggered by Advocates’ reporting of three data breaches that affected about 4 million individuals.

During the course of the investigation, the OCR discovered numerous deficiencies in Advocates’ policies and procedures related to protection of electronically-stored patient information. The OCR determined that Advocates did not perform a risk assessment related to electronically-stored protected health information, lacked policies to limit access to electronic systems, and failed to execute a written agreement to protect electronic patient information with a business associate. As part of the settlement agreement, Advocates agreed to perform a risk assessment of its electronic protected health information, implement processes to address risks to security, and enhance its HIPAA compliance training program.

This significant settlement amount is characteristic of a trend towards increased oversight and harsher penalties related to HIPAA enforcement. The Advocates settlement also highlights the OCR’s ability to assess penalties not only for actual breaches, but for potential breaches as well if it determines that an entity lacks proper data security. As a result, a single or a few isolated breaches can lead to a major compliance issue when the OCR investigates. It is important for covered entities to perform a thorough risk analysis and to adopt policies and procedures that adequately protect patients’ protected health information.

About the Author

Robert Blaisdell

Robert Blaisdell is a Boston attorney providing general business and corporate legal services to healthcare clients. You can find him on LinkedIn.

Donoghue Barrett & Singal clerk Andrew Maglione contributed to this report


Health Law