OCR settlement reiterates importance of proactive security rule compliance

Conor Duffy
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

On September 2, 2015, the U.S. Department of Health & Human Services (HHS) announced that Cancer Care Group, P.C. (CCG), a physician practice located in Indiana, agreed to pay $750,000 as part of a settlement to resolve alleged violations of HIPAA’s Security and Privacy Rules.

The HHS Office for Civil Rights (OCR) initiated an investigation in 2012 after CCG self-reported a breach of unsecured electronic protected health information (ePHI) resulting from the theft of a laptop bag from a CCG employee. The laptop bag contained the employee’s computer, as well as unencrypted back-up media containing ePHI of approximately 55,000 individuals, including names, addresses, dates of birth, Social Security numbers, insurance and clinical information. OCR determined that CCG had never performed an enterprise-wide security risk analysis, and did not have any policies for the protection of ePHI on mobile media, both in violation of the Security Rule. OCR further determined that CCG violated the Privacy Rule by impermissibly disclosing the ePHI of approximately 55,000 individuals.

In addition to the $750,000 payment, CCG’s resolution agreement with OCR requires CCG to comply with a three-year corrective action plan (CAP). Under the CAP, CCG must conduct a comprehensive risk analysis, and then implement an organization-wide risk management plan to mitigate security risks and vulnerabilities identified by the risk analysis. CCG must also review and revise its Security Rule policies, procedures and training program. During the term of the CAP, CCG is subject to heightened reporting requirements for violations of its HIPAA policies and procedures, and must submit annual CAP-compliance reports to HHS.

This latest OCR settlement is yet another reminder to health care providers that for all the attention cyber-attacks rightfully attract, such providers face more immediate security vulnerabilities in the form of their employees. HIPAA-compliant policies and procedures – such as mandatory encryption of back-up media accessed by employees – are the best mechanism for mitigating these security vulnerabilities, and health care providers must proactively ensure compliance with HIPAA’s fundamental requirements in order to reduce exposure to costly data breaches.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide