A $750,000 settlement recently paid by a large physician practice group highlights how important it is for organizations to regularly conduct proper HIPAA risk assessments.
The Cancer Care Group (based in Indiana) allegedly failed to protect electronic patient data (“ePHI”) as required by the Health Insurance Portability and Accountability Act’s (“HIPAA”) Security Rule. The Group’s compliance issues arose after an employee’s laptop bag containing unencrypted electronic patient data was reported stolen out of the employee’s car. According to the resolution agreement between the Group and the Office of Civil Rights (“OCR”), the Group failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI. As a result, the Group did not implement appropriate and effective policies and procedures to govern the receipt and removal of computer hardware and electronic media containing ePHI into and out of the Group’s facility. This failure lead to the improper disclosure of ePHI related to approximately 55,000 individuals and an agreement to pay $750,000 to resolve the OCR’s allegations. The Group was also required to enter a three year Corrective Action Plan to come into compliance with HIPAA.
The takeaway for all organizations covered by HIPAA is that one of the most important aspects of an effective HIPAA compliance program is the implementation of regular risk assessments. These assessments must include a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization or its business associates. By conducting these assessments, organizations can uncover and prevent breaches such as those alleged against the Cancer Care Group by implementing appropriate security measures. Such measures would certainly include ensuring that any electronic health information would not leave your facility unencrypted and sitting unattended in a parked car!
The Resolution Agreement can be found at:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cancercare-racap.pdf
By 
