Cancer Care Group, P.C., a 13-physician radiation oncology practice in Indiana (group), has agreed to pay $750,000 and implement a comprehensive corrective action plan in a settlement resulting from the theft of a laptop and backup media containing unencrypted patient information. As is often the case, the breach incident triggered an investigation that revealed deeper deficiencies in the physician group’s HIPAA compliance efforts. The Office of Civil Rights of the Department of Health and Human Services (OCR) announced the settlement in a September 2, 2015 press release entitled “$750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policies.” That heading alone strongly suggests that OCR chose this case to send a clear and powerful message to smaller covered entities and business associates that neglecting basic compliance efforts can and will result in heavy fines, especially if meaningful corrective action is not undertaken after a breach occurs.
The practice first notified OCR of the theft of an employee’s laptop bag in 2012 from the employee’s car. The bag contained a laptop, which did not contain ePHI, and unencrypted computer server backup media with names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former patients. OCR learned upon further investigation that the group had taken its HIPAA obligations less than seriously for years preceding the breach.
It had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012. Further, Cancer Care did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization. OCR found that these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility.
In addition to the fine, the group adopted a Corrective Action Plan as part of its Resolution Agreement with OCR, which can be read here.
Much like the Phoenix Cardiac Surgery settlement that we discussed on this blog in 2012, this case involved not just a one-time negligent breach, but a systematic, ongoing failure to adopt and implement appropriate HIPAA safeguards, policies and compliance efforts. The Resolution Agreement indicates that such failures continued for a significant time after the theft of the devices.
The Resolution Agreement states that the payment of the $750,000 “Resolution Amount” does not preclude the government from imposing civil monetary penalties in the future if the deficiencies are not cured, and the group agreed to extend the statute of limitations on such penalties during the three-year term of the Resolution Agreement and Corrective Action Plan and for one year afterwards. During the term of the Agreement, the group is required to complete a comprehensive Risk Analysis of all security risks and vulnerabilities posed by its electronic equipment, data systems, and applications that contain, store, transmit, or receive electronic protected health information (“ePHI”) and report the results to OCR; develop and implement an organization-wide Risk Management Plan to address and mitigate any security risks and vulnerabilities found in the Risk Analysis; revised and update its policies and procedures to OCR’s satisfaction; revise its current Security Rule Training Program; investigate any workforce member’s violation of such policies and report the results to OCR (even if such violation did not result in a breach); and file detailed annual reports with OCR.
There are plenty of lessons to learn from this settlement, but one of the most critical lessons may be the easiest to implement: encrypt your data, particularly any data that is stored in portable devices which have a disturbing tendency to disappear. Had the backup device been encrypted, it is likely that the outcome of this incident would have been very different. Another lesson is that, if a breach of HIPAA is discovered, be proactive and act immediately to assess and address the risk and mediate the potential damage, update your policies and procedures, implement changes designed to avoid another breach, etc. Do not wait for OCR to tell you how to respond to the breach.