Group Settles Allegations of HIPAA Violations for $750K

According to a press release by the HHS Office of Civil Rights:

Cancer Care Group, P.C. agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Cancer Care paid $750,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. Cancer Care Group is a radiation oncology private physician practice, with 13 radiation oncologists serving hospitals and clinics throughout Indiana.

Cancer Care submitted a notification to OCR regarding a breach of unsecured electronic protected health information (ePHI) after a laptop bag was stolen from an employee’s car. The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information, and clinical information of approximately 55,000 current and former Cancer Care patients.
OCR’s concluded that, prior to the breach, Cancer Care was in widespread non-compliance with the HIPAA Security Rule for the following reasons:
1. Cancer Care had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012.
2. Cancer Care did not have a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization.
OCR found that these two issues, in particular, contributed to the breach. It also concluded that an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction regarding their responsibilities when removing devices containing ePHI from the facility.
The takeaway is that all entities must regularly evaluate their practices involving the access, use, storage, and disclosure of PHI and ePHI, and must draft appropriate policies and procedures to address areas where PHI and ePHI could be improperly accessed, used, or disclosed.

Michael Miscoe
Latest posts by Michael Miscoe (see all)

About Has 53 Posts

Mr. Miscoe, JD, CPC, CASCC, CUC, CCPC, CPCO, CPMA has over 20 years of experience in healthcare coding and over sixteen years as a compliance expert, forensic coding expert and consultant. He has provided expert analysis and testimony on a wide range of coding and compliance issues in civil and criminal cases and his law practice concentrates exclusively on representation of healthcare providers in post-payment audits as well as with responding to HIPAA OCR issues. He has an extensive national speaking background and has been published in numerous national publications on a variety of coding, compliance and health law topics.

Comments are closed.