risk level conceptual meterCancer Care Group, P.C. settled alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules on September 2 with the U.S. Department of Health & Human Services Office for Civil Rights (OCR) for $750,000. Cancer Care, a radiation oncology private physician practice located in Indiana, also agreed to adopt a corrective action plan to remedy defects in its HIPAA compliance program.

OCR’s investigation of Cancer Care’s compliance with HIPAA began when the physician group self-reported to OCR a breach of unsecured electronic health information (ePHI) resulting from a unencrypted laptop that was stolen from an employee’s car. The computer contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care patients.

After investigating the breach, the OCR concluded that Cancer Care’s operations involved extensive HIPAA non-compliance and highlighted the group’s failure to conduct an enterprise-wide risk analysis of the potential risks and vulnerabilities to the confidentiality of ePHI it stored, as required by the Security Rule. Additionally, Cancer Care failed to maintain a written policy regarding the removal of electronic media containing ePHI out of its facilities, despite the common occurrence of such practice by its employees. OCR alleged that Cancer Care’s failure to carry out the requisite risk analysis and to maintain a device and media control policy contributed in large part to the data breach.

The steep penalty resulting from such claims serves as a valuable reminder to HIPAA-covered entities of the necessity to carry out an organizational risk analysis and to maintain a comprehensive device management policy, in addition to maintaining an all-around effective compliance program. Given the frequency in which stolen laptops and other mobile device security issues generate HIPAA violations, covered entities and business associates should have policies that include, in pertinent part, encryption of mobile devices and electronic media. Covered entities should also conduct security awareness and training on their policies for safeguarding ePHI. While even strict compliance with HIPAA privacy and security standards does not ensure that a data breach will not occur, maintaining a robust compliance plan will reduce the risk of such an event while also minimizing liability if one does transpire.