The OCR has released details of a Cancer Care Group HIPAA settlement – the Indiana-based oncology private physician practice is to pay $750,000.
The security incident in question involved the theft of an unencrypted laptop computer, which was taken from the vehicle of a Cancer Care Group employee in 2012. The device had been used to store the Protected Health Information (PHI) and Personally Identifiable Information (PHI) of patients. As a result of the theft, the data of 55,000 patients were exposed to criminals, placing the breach victims at risk of becoming victims of identity theft and fraud.
If portable storage devices or laptop computers are to be transported outside healthcare providers’ facilities, a reasonable measure to protect data stored on the devices is data encryption. If a device is subsequently stolen, the PHI and PII of patients would be undecipherable.
HIPAA Rules do not demand data encryption be employed, although the security measure must be considered. Other protections can be used in place of encryption to secure PHI without risking a HIPAA violation. However, while data encryption could potentially have prevented the data breach, the OCR did not issue a fine to Cancer Care Group for that reason.
Covered entities are required to submit reports of security incidents that expose the PHI/PII of patients and plan members to the OCR. All security breach reports that expose the data of more than 500 individuals are investigated. When the OCR conducted its investigation, it discovered “widespread violations of the HIPAA Security Rule.” Due to the seriousness of those violations, a financial penalty was warranted. Oftentimes, the OCR only issues a correctional action plan, which covered entities must follow in order to bring data privacy and security measures up to the standard demanded by HIPAA.
One of the most serious violations was a failure to conduct an enterprise-wide risk analysis following on from the discovery of the data breach. Other violations discovered included the lack of a policy covering the removal of PHI-containing devices from the healthcare provider’s premises. The OCR investigation revealed it was a common practice to take computer equipment and electronic devices outside Cancer Care Group Facilities. These violations were deemed to have directly led the exposure of patient PHI.
An OCR statement announcing the Cancer Care Group HIPAA settlement said “an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility.”
OCR Director, Jocelyn Samuels, sent a stern warning to other covered entities after the Cancer Care Group HIPAA settlement was announced, “Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information.” While data encryption is not mandatory, Samuels explained “further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”
Encryption in this case would not only have prevented the exposure of patient PHI, there would also have been no reason for the OCR to conduct an audit on HIPAA compliance.
It is hoped that the stiff HIPAA penalty sends a message to all covered entities that a failure to adhere to HIPAA Rules will not be tolerated. There are no excuses for failing to comply with HIPAA Rules, which only set minimum standards on data privacy and security matters. Furthermore, regardless of the size of a HIPAA-covered entity, fines for HIPAA violations can, and will be issued.
Further information on the Cancer Care Group HIPAA settlement can be viewed here.