Group Settles Allegations of HIPAA Violations for $750K
According to a press release by the HHS Office of Civil Rights:
Cancer Care Group, P.C. agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Cancer Care paid $750,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. Cancer Care Group is a radiation oncology private physician practice, with 13 radiation oncologists serving hospitals and clinics throughout Indiana.
Cancer Care submitted a notification to OCR regarding a breach of unsecured electronic protected health information (ePHI) after a laptop bag was stolen from an employee’s car. The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information, and clinical information of approximately 55,000 current and former Cancer Care patients.
OCR’s concluded that, prior to the breach, Cancer Care was in widespread non-compliance with the HIPAA Security Rule for the following reasons:
1. Cancer Care had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012.
2. Cancer Care did not have a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization.
OCR found that these two issues, in particular, contributed to the breach. It also concluded that an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction regarding their responsibilities when removing devices containing ePHI from the facility.
The takeaway is that all entities must regularly evaluate their practices involving the access, use, storage, and disclosure of PHI and ePHI, and must draft appropriate policies and procedures to address areas where PHI and ePHI could be improperly accessed, used, or disclosed.