HIPAA For MSPs by David Sims OCR settlements keep coming in 2016
00:00:00 00:00:00

So far in 2016, 10 OCR settlements have been announced. One more and this year will equal the number of agreements in all of 2014 and 2015! The latest two also include the largest settlement announced yet, $5.5m with Advocate Health. Before Advocate Health, however, was The University of Mississippi Medical Center aka “Ole Miss” to those of us in the SEC world. It wasn’t something to “shake a stick at” with a $2.75m resolution amount.

The total amount for the 10 announcements that have occurred so far in 2016 is $20,314,800. But, the details are what we usually pay more attention to since it tells us exactly what OCR has a problem with in each case. It makes it clear what OCR wants all of us to learn from these folks mistakes.

OCR Settlements

Both cases involve breaches from 2013 that OCR received notifications from.

  • In March of 2013 in Ole Miss, a password-protected laptop went missing from UMMC’s Medical Intensive Care Unit (MICU). UMMC’s investigation concluded that it had likely been stolen by a visitor to the MICU who had inquired about borrowing one of the laptops. OCR’s investigation revealed that the ePHI stored on a UMMC network drive was OCR settlementsvulnerable to unauthorized access via UMMC’s wireless network because users could access an active directory containing 67,000 files after entering a generic username and password. The directory included 328 files containing the ePHI of an estimated 10,000 patients dating back to 2008.
  • There were three breaches for Advocate between 8/23 and 11/1. Four desktops were stolen from their facilities. A BA breach occurred by billing services after a hack of their systems. Lastly, an unencrypted laptop stolen from an unlocked car.

The OCR settlements included a CAP on both institutions. Ole Miss received three years and Advocate got two.


  • Ole Miss
    • No security policies and procedures for over 11 years, which is when the Security Rule started
    • Over 1 year with no physical safeguards
    • Over 8 years without unique user names – using shared user names
    • After the breach they notified the press and OCR but not all of the patients
  • Advocate Health
    • Risk analysis didn’t include all of the facilities, IT equipment, apps & data systems utilizing ePHI
    • No policies and procedures to limit physical access to their support center where the desktops were stolen
    • Failed to reasonably safeguard the ePHI at the support center, affected 3,994,175 patients
    • No BA management including no contract and assurances from Blackhawk, their billing service, to protect PHI
    • Disclosed ePHI to Blackhawk affected 2,027 patients because no BAA
    • No safeguards on laptop that was stolen from an unlocked car