In the United States the privacy and security requirements for personal health information (PHI) are set forth in the Health Insurance Portability and Accountability Act (HIPAA) and its accompanying regulations, as governed by the Department of Health and Human Services (DHHS). See, e.g., Global Matters article Health Information Privacy: An Evolving Minefield. In the largest HIPAA settlement to date for noncompliance with the HIPAA security and privacy requirements, the DHHS Office for Civil Rights (OCR) levied a $5.5 million fine against and required a corrective action plan by Advocate Health Care Network. OCR began an investigation into Advocate after three separate data breaches were reported: a stolen laptop from an Advocate office building, an unauthorized access into a business associate’s computer network, and an unencrypted laptop taken from an employee’s vehicle.
The OCR investigation revealed several security and privacy failures by Advocate, including a failure to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its electronic PHI (ePHI), and failure to obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession. OCR stated that the settlement should send “a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management.”
As we have stated before in Global Matters (see HIPAA Privacy Enforcement Is Alive And Well: Is Your System Compliant?) OCR is increasingly aggressive in its approach to HIPAA enforcement. See your Ally Law member firm to analyze your data protection policies and procedures to assure compliance and adherence to best practices – whether you are a health care provider or business associate of health care providers. Ally Law member firms have practitioners skilled in regulatory compliance and data security law. For more information about Ally Law member firm services in this area, contact us at firstname.lastname@example.org.