In September of 2015 Cancer Care Group, P.C, a radiation oncology private physician practice, with 13 radiation oncologists serving hospitals and clinics throughout Indiana, agreed to pay a $750,000 penalty corresponding to a breach in 2012. In conjunction to the monetary fine, Cancer Care Group, P.C has agreed to adopt an action plan to correct the deficiencies within their organization’s HIPAA compliance program.

How did this data breach occur?

The 2012 breach occurred when a laptop bag was stolen out of an employee’s car. The bag contained both a laptop and an unencrypted backup device, which contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of 55,000 current and former Cancer Care patients.

After the breach was disclosed, the Office for Civil Rights (OCR) performed an investigation and found that, prior to the breach, Cancer Care was in widespread non-compliance with the HIPAA Security Rule. They had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012 nor did Cancer Care have any written policies regarding the removal of hardware and electronic media containing ePHI. OCR found that these two issues ultimately contributed to the breach and that an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care.

“Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information… Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.” – Jocelyn Samuels, OCR Director.

Is your medical practice at risk?

Cancer Care Group, P.C is not alone when it comes to fines imposed by OCR or being found negligent for general HIPAA non-compliance. One example is a firm violating HIPAA by mistakenly sending a fax to a client’s employer. This lead to an investigation by OCR, and although no fines were imposed, the firm went through an exhaustive in-depth audit with mandated security training for workforce members.

powersolution has compiled a 7 Easy Steps guide toward HIPAA compliance. HHS also offers guidance on how your organization can conduct a HIPAA Risk Analysis: http://www.healthit.gov/providers-professionals/security-risk-assessment.

To learn more about non-discrimination and health information privacy laws and privacy rights in health care and human service settings please visit http://www.hhs.gov/ocr/office.