The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently announced a $750,000 fine and resolution agreement, including a Corrective Action Plan (CAP), for Cancer Care Group, P.C. (CCG), a private organization made up of 18 physicians. The CCG investigation and resolution demonstrates that OCR does not exempt even modest-size physician groups from scrutiny.

The investigation originated from an incident in 2012 in which a CCG employee’s laptop bag was stolen from the employee’s car. The laptop bag contained unencrypted computer server back-up media with the electronic protected health information (ePHI) of around 55,000 patients.

OCR emphasized CCG’s seven years of non-compliance with the Security Rule in the resolution agreement and CAP. Since the April 21, 2005, Security Rule compliance date, the OCR noted that CCG had not conducted an enterprise-wide risk analysis or established and implemented written policies regulating the removal of hardware and electronic media containing ePHI into, out of and within facilities, notwithstanding that CCG employees regularly transported ePHI. Additionally, the OCR found that CCG had not encrypted the backup tapes nor properly safeguarded the unencrypted backup tapes that were stolen from the employee’s car.

The CAP emphasizes general HIPAA compliance and the importance of conducting the security risk analyses at regular or as-needed intervals, implementing responsive risk management plans, and updating training materials and policies and procedures. This emphasis is consistent with our experience in working with healthcare clients on OCR investigations and are proving to be the most important and fundamental compliance tools a covered entity should have.