stethoscope.jpgRecently, The Office for Civil Rights (OCR) announced a $5.55 million settlement with Advocate Health Care in response to a breach of electronic Protected Health Information (ePHI) affecting approximately four million individuals. This is the largest OCR settlement in response to a breach to date.  Among other things, the settlement agreement indicated that Advocate failed to:

  • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI
  • Implement policies, procedures, and facility access controls to limit physical access to the electronic information systems housed within a large data support center
  • Reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight

Unfortunately, the findings listed in this settlement agreement can be found with regularity throughout OCR’s settlement agreements. See the following list of similar findings:



University of Mississippi Medical Center (UMMC)

UMMC failed to:

> Implement its policies and procedures to prevent, detect, contain, and correct security violations


Oregon Health & Science University (OHSU)

OHSU failed to:

> Implement policies and procedures to prevent, detect, contain, and correct security violations

> Implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for all ePHI maintained in OHSU’s enterprise


Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS)

CHCS failed to:

> Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by CHCS



Feinstein Institute for Medical Research (FIMR)

FIMR failed to:

> Conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI held by FIMR

> Implement policies and procedures for granting access to ePHI by its workforce members

> Implement a mechanism to encrypt ePHI or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure of encryption to safeguard ePHI


When one reviews the settlement agreements that came out of OCR’s enforcement, there are three common themes that appear to occur with frequency:

  1. Failure to conduct an accurate and thorough Security Risk Analysis (see §164.308(a)(1)(ii)(A))
  2. Failure to implement policies proper policies and procedures (see §164.316(a))
  3. Failure to encrypt ePHI (see §164.312(a)(2)(iv))

Furthermore, representatives of OCR are frequently asked what the top three things an organization can do to protect their information and avoid stiff penalties are.

The answer is always the same:

  1. Conduct a regular Security Risk Analysis
  2. Implement Policies and Procedures
  3. “Encrypt, encrypt, encrypt”

Security Risk Analysis

It isn’t always easy understanding what the HIPAA Security Rule requires of organizations when conducting a Security Risk Analysis, especially for smaller organizations that have not performed a formal risk analysis in the past. In order to provide flexibility, the HIPAA Security Rule is not prescriptive on how to conduct a Security Risk Analysis. This allows for a variety approaches that may fit into existing risk analysis processes and models. However, it also makes it difficult to determine what constitutes “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”

A common temptation for small-to-medium sized organizations is to defer this assessment to their internal or external IT team. The outcome is generally a description of IT security controls that are in place. Unfortunately, this does not constitute a Security Risk Analysis nor does it address business risk. For these reasons, it is often prudent to partner with professionals who have experience in this field. 

Policies and Procedures

The HIPAA Security Rule specifies that organizations must:

(§164.316(a)) Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart…

Effectively following this specification is a common failing, especially in smaller organizations. We’ve experienced the following common scenarios:

  • The organization purchased a policy template, put it on a shelf, and has not referred to it since.
  • The organization implemented policies in 2005 (when compliance with the HIPAA Security Rule was first required) and has not reviewed them since.
  • The organization has policies, but does not enforce them.

Unfortunately, none of these scenarios will lead to a favorable ruling from OCR. To be effective and compliant, policies must:

  • Be customized and relevant to the organization
  • Reviewed and updated regularly
  • Be communicated to the workforce and be enforced

“Encrypt, Encrypt, Encrypt”

These are the words of Jocelyn Samuels, Director of OCR. There has been much discussion about the fact that encryption is listed as an addressable implementation specification in the HIPAA Security Rule. However, too often the word “addressable” is read as “optional” and this is simply not the case. For addressable implementation specifications, covered entities must:

Perform an assessment to determine whether the specification is a reasonable and appropriate safeguard in the covered entity’s environment. After performing the assessment, an organization then decides if it will:

  • Implement the addressable implementation specification as stated
  • Implement an equivalent alternative measure that allows the entity to comply with the standard
  • Not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment

Of course the decision must be documented and must be considered “reasonable and appropriate.” As we have seen from the settlement agreements, OCR expects that organizations will encrypt ePHI unless they can otherwise demonstrate it was not reasonable or appropriate to do so. In other words, the burden is on the organization to prove why they would not implement encryption as opposed to the other way around.

Additionally, encryption provides safe harbor from reporting breaches in the first place. So not only can organizations avoid fines by encrypting ePHI, they can also avoid sending notifications to former patients, the legal fees associated with a breach notification, and reputational harm through the media and the public Breach Report.


If an organization is not sure where to start with their HIPAA Security Rule Compliance program and wants to avoid fines, they should start by conducting a Security Risk Analysis, implementing effective Policies and Procedures, and encrypting ePHI. Just like individuals seek out the guidance of medical specialists to maintain good health, health care organizations should seek out specialists to help them ensure they are applying a reasonable amount of diligence in protecting health care data.

Onliners have conducted hundreds of Security Risk Assessments for health care organizations looking to meet the requirements of the HIPAA Privacy and Security Rule. Contact us today to avoid costly fines and ensure your organization stays up-to-date on HIPAA compliance.


To continue the conversation, send me a message or to learn more about Online Business Systems’ Risk, Security and Privacy practice click here.
Topics: Security

Leave a Reply