Advocate Health Care Network, the largest fully-integrated health care system in Illinois, agreed to the largest HIPAA Settlement to be paid by a single entity for potential penalties in the amount of $5.55M. The alleged long term non-compliance resulting in this settlement included four failures to comply with HIPAA including:
- failure to adequately conduct risk assessments,
- failure to limit physical access to ePHI,
- failure to obtain Business Associate Agreements, and
- failure to safeguard an unencrypted laptop from an unlocked car overnight.
This settlement demonstrates just how seriously the Office for Civil Rights takes HIPAA compliance. Risk assessments, physical security, business associate agreements, and safeguarding laptops and other portable mobile devices are not optional. Covered Entities and their Business Associates need to take heed and take the necessary steps to ensure compliance with HIPAA.