Cancer Care Group agreed to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules with the Department of Health and Human Services’ Office for Civil Rights (OCR). Cancer Care paid $750,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program.
Cancer Care Group is a radiation oncology private physician practice, with 13 radiation oncologists serving hospitals and clinics in Indiana.
On Aug. 29, 2012, OCR received notification from Cancer Care regarding a breach of unsecured electronic protected health information (ePHI) after a laptop bag was stolen from an employee’s car. The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information, and clinical information of about 55,000 current and former Cancer Care patients.
OCR’s subsequent investigation found that, prior to the breach, Cancer Care was in widespread non-compliance with the HIPAA Security Rule. It had not conducted an enterprisewide risk analysis when the breach occurred in July 2012.
Further, Cancer Care didn’t have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice at the organization. OCR found that these issues, in particular, contributed to the breach. It found that an enterprisewide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to the ePHI. It also found that a comprehensive device and media control policy could have provided direction on responsibilities when removing devices containing ePHI from the facility.
“Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information,” said OCR Director Jocelyn Samuels. “Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”
Cancer Care has taken corrective action with regard to the specific requirements of the Privacy and Security Rules that are at the core of this enforcement action, as well as actions to come into compliance with the other provisions of the HIPAA Rules. The Resolution Agreement and Corrective Action Plan can be found on the OCR website at http://1.usa.gov/1PAzwNj.
