Cancer Care Group, one of the nation's largest radiation oncology private practices, has agreed to pay $750,000 for violating the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
This monumental-sized settlement was handed down by the Department of Health and Human Services (HHS) for a data breach that occurred three years ago. Reports indicate that Cancer Care Group first notified the Office for Civil Rights (OCR) of a security breach in 2012. The oncology organization said one of its laptops containing Protected Health Information (PHI), as well as the Social Security numbers and health insurance data of more than 55,000 patients had been stolen.
Granted, it's not uncommon for laptops, tablets, smartphones or other electronic devices containing PHI to become lost or stolen. Normally, however, the OCR doesn't issue a fine. What makes this case different is that Cancer Care Group did not encrypt its data on the now-stolen laptop, allowing anyone to see and access it.
Soon after the data breach was reported, the OCR launched a full investigation to determine whether or not Cancer Care Group acted in negligence. According to a statement made by the OCR, Cancer Care Group failed to encrypt the PHI on its laptop. More so, however, it had widespread non-compliance with the HIPAA Security Rule. This prompted the OCR to hand down a settlement of $750,000 to the oncology practice.
“Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients' health information," said OCR Director Jocelyn Samuels, in a statement. "Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information."
The Cancer Care Group failed to conduct a risk-analysis when the laptop in question had been stolen, and it also lacked the necessary written policies for handling the removal of Electronic Protected Health Information (EPHI). The OCR added that the Cancer Care Group neglected to address these violations when they are initially discovered back in 2005, long before the laptop had ever been stolen.
So, what should you take away from this article? Long story short, the OCR DOES issue fines for HIPAA violations. They may let some of the smaller violations slide, assuming these violations are correctly in a timely manner. But if a covered entities continues to neglect the HIPAA Rules, it can and will be fined, such as the case involving the $750,000 settlement between the Cancer Care Group and HHS.