Cancer Care Group, an Indiana-based radiation oncology private physician practice, has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights for $750,000, for potential HIPAA breaches relating to a 2012 data violation.
In August 2012, Cancer Care Group found that a laptop computer and unencrypted backup drive had been stolen from the vehicle of an employee. The data breach released the Protected Health Information of 55,000 patients.
The stolen device stored highly sensitive data, which included the Social Security numbers of patients: Exactly the data required by identity thieves to rack up tens of thousands of debts in the names of the breach victims. The data on the drives did not contain encryption.
Under the HIPAA Security Rule, data encryption is only an addressable problem. This means that a HIPAA-covered entity must consider the use of data encryption for all PHI stored, transmitted, or backed up. A HIPAA-covered body can make an informed decision as to whether data encryption is a wise precaution, but that means first reviewing the level of risk of potential exposure of that data.
Provided the decision not to encrypt data has a sound basis, given the level of risk of exposure, a HIPAA violation and accompanying fine could well be prevented, even after a data breach has occurred that encryption could potentially have prevented. (If the decision, and the reasons for not encrypting are of sound reasoning, and the process has been documented.)
However, when a data breach happens (and over 500 individuals are affected), an OCR breach investigation is conducted. That investigation is focused on determining whether the breach could have been prevented, and if it would have been reasonable, under the circumstances, for protections to have been implemented to prevent that breach from occurring. If data security measures were weaker to those deemed necessary under HIPAA standards, a fine may well be issued.
In the case of Cancer Care Group, “widespread non-compliance with the HIPAA Security Rule,” was found. The OCR was therefore forced to take corrective measures.
A corrective action plan was issued – with a strict timeframe for meeting data security standards – and a financial penalty was found to be appropriate. The OCR discovered enterprise-wide HIPAA-compliance issues which had been allowed to continue, unaddressed, since 2005: The date the Security Rule took effect.
Cancer Care Group did not perform a fundamental security measure: A comprehensive risk assessment for when laptops and similar devices are lost or stolen. The OCR investigators also found that the healthcare provider did not have written policies in place “for addressing and controlling the removal of electronic devices” from the offices.
In a press release published by the OCR, Director, Jocelyn Samuels, stated “Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information.”
She added, “proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”
Cancer Care Group has agreed to implement a corrective action plan that addresses Security Rule failings and settle for $750,000 without admission of liability. The full resolution agreement for Cancer Care Group can be viewed here.
The new OCR HIPAA penalty comes in the aftermath of the OCR announcing it had reached a settlement with Brighton, Mass-based St. Elizabeth’s Medical Center for $218,400. That case involved HIPAA violations arising from the sharing of documents via an internet-based application. At face value the cases do not seem similar, but both data breaches were a consequence of the failure to perform a comprehensive risk assessment.
The latest OCR HIPAA settlements make a clear statement to all HIPAA-covered entities. A failure to carry out a comprehensive risk assessment is a decision that will prove costly. And with the OCR HIPAA compliance audits coming soon, HIPAA failures such as these are highly likely to be identified.