One Beacon Street
Suite 1320
Boston, MA 02108

T 617.720.5090
F 617.720.5092


One Richmond Sq.
Suite 165W
Providence, RI 02906
T 401.454.0400
F 401.454.0404

August 12, 2016

Hospital Chain Agrees To Record $5.5M HIPAA Settlement


Illinois hospital system Advocates Health Care Network recently agreed to a $5.55 million settlement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), after an investigation initiated in 2013 revealed that Advocates had insufficient security in place for protected health information. This is the largest settlement amount resulting from violations of the Health Insurance Portability and Accountability Act (HIPAA) to date. The OCR investigation was triggered by Advocates’ reporting of three data breaches that affected about 4 million individuals.

During the course of the investigation, the OCR discovered numerous deficiencies in Advocates’ policies and procedures related to protection of electronically-stored patient information. The OCR determined that Advocates did not perform a risk assessment related to electronically-stored protected health information, lacked policies to limit access to electronic systems, and failed to execute a written agreement to protect electronic patient information with a business associate. As part of the settlement agreement, Advocates agreed to perform a risk assessment of its electronic protected health information, implement processes to address risks to security, and enhance its HIPAA compliance training program.

This significant settlement amount is characteristic of a trend towards increased oversight and harsher penalties related to HIPAA enforcement. The Advocates settlement also highlights the OCR’s ability to assess penalties not only for actual breaches, but for potential breaches as well if it determines that an entity lacks proper data security. As a result, a single or a few isolated breaches can lead to a major compliance issue when the OCR investigates. It is important for covered entities to perform a thorough risk analysis and to adopt policies and procedures that adequately protect patients’ protected health information.

About the Author

Robert Blaisdell

Robert Blaisdell is Managing Partner and Chair of the Firm's Health Law group. He provides general business and corporate legal services to healthcare clients. You can find him on LinkedIn.

Donoghue Barrett & Singal clerk Andrew Maglione contributed to this report


Health Law



Research Misconduct


This website presents general information about Barrett & Singal and is not intended as legal advice nor should you consider it as such. You should not act upon this information without seeking professional counsel.

Please note that contacting Barrett & Singal by email, telephone or facsimile will not establish an attorney-client relationship, obligate us to act as your attorney or impose an obligation on either the law firm or the receiving lawyer to keep the transmitted information confidential. Completion of Barrett & Singal’s new client intake protocol, including without limitation the firm’s conflicts checking process and an engagement letter, is necessary to establish an attorney-client relationship. Absent a current attorney-client relationship with Barrett & Singal, any information or documents communicated or transmitted by you to Barrett & Singal will not be treated as confidential, secret or protected in any way. If you are not a current client of Barrett & Singal, please do not send any confidential information to us through this web site or otherwise concerning any potential or actual legal matter you have. Before providing any confidential information to us, you must obtain permission to do so from one of the firm’s lawyers. By clicking "Accept," you acknowledge that we have no obligation to maintain the confidentiality of any information you submit to us unless we already represent you or unless we have agreed to receive limited confidential material/information from you as a prospective client.

If you would like to discuss becoming a client, please contact one of our attorneys to arrange for a meeting or telephone conference. If you wish to disclose confidential information to a lawyer in the firm before an attorney-client relationship is established, the protections that the law firm will provide to such information from a prospective client should be discussed with the firm attorney before such information is submitted. Thank you for your interest in Barrett & Singal.