$750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policies

Cancer Care Group, P.C. agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR).

The Indiana based Radiation oncology private physician practice paid $750,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program.

This all started on August 29, 2012, when OCR received notification from the Group regarding a breach of unsecured electronic protected health information (ePHI) after a laptop bag was stolen from an employee’s car.

The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care patients.

OCR’s subsequent investigation found that, prior to the breach, the Group  was in widespread non-compliance with the HIPAA Security Rule.

It had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012. It do not have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization.

OCR found that these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified these issues.

The Group as taken corrective action with regard to the specific requirements of the Privacy and Security Rules that are at the core of this enforcement action, as well as actions to come into compliance with the other provisions of the HIPAA Rules.