On September 2, 2015, the U.S. Department of Health & Human Services (HHS) announced that Cancer Care Group, P.C. (CCG), a physician practice located in Indiana, agreed to pay $750,000 as part of a settlement to resolve alleged violations of HIPAA’s Security and Privacy Rules.
The HHS Office for Civil Rights (OCR) initiated an investigation in 2012 after CCG self-reported a breach of unsecured electronic protected health information (ePHI) resulting from the theft of a laptop bag from a CCG employee. The laptop bag contained the employee’s computer, as well as unencrypted back-up media containing ePHI of approximately 55,000 individuals, including names, addresses, dates of birth, Social Security numbers, insurance and clinical information. OCR determined that CCG had never performed an enterprise-wide security risk analysis, and did not have any policies for the protection of ePHI on mobile media, both in violation of the Security Rule. OCR further determined that CCG violated the Privacy Rule by impermissibly disclosing the ePHI of approximately 55,000 individuals.
In addition to the $750,000 payment, CCG’s resolution agreement with OCR requires CCG to comply with a three-year corrective action plan (CAP). Under the CAP, CCG must conduct a comprehensive risk analysis, and then implement an organization-wide risk management plan to mitigate security risks and vulnerabilities identified by the risk analysis. CCG must also review and revise its Security Rule policies, procedures and training program. During the term of the CAP, CCG is subject to heightened reporting requirements for violations of its HIPAA policies and procedures, and must submit annual CAP-compliance reports to HHS.
This latest OCR settlement is yet another reminder to health care providers that for all the attention cyber-attacks rightfully attract, such providers face more immediate security vulnerabilities in the form of their employees. HIPAA-compliant policies and procedures – such as mandatory encryption of back-up media accessed by employees – are the best mechanism for mitigating these security vulnerabilities, and health care providers must proactively ensure compliance with HIPAA’s fundamental requirements in order to reduce exposure to costly data breaches.