HIPAA Fine Underscores OCR’s Focus on Physician Group Compliance


The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently announced a $750,000 fine and resolution agreement, including a Corrective Action Plan (CAP), for Cancer Care Group, P.C. (CCG), a private organization made up of 18 physicians. The CCG investigation and resolution demonstrates that OCR does not exempt even modest-size physician groups from scrutiny.

The investigation originated from an incident in 2012 in which a CCG employee’s laptop bag was stolen from the employee’s car. The laptop bag contained unencrypted computer server back-up media with the electronic protected health information (ePHI) of around 55,000 patients.

OCR emphasized CCG’s seven years of non-compliance with the Security Rule in the resolution agreement and CAP. Since the April 21, 2005, Security Rule compliance date, the OCR noted that CCG had not conducted an enterprise-wide risk analysis or established and implemented written policies regulating the removal of hardware and electronic media containing ePHI into, out of and within facilities, notwithstanding that CCG employees regularly transported ePHI. Additionally, the OCR found that CCG had not encrypted the backup tapes nor properly safeguarded the unencrypted backup tapes that were stolen from the employee’s car.

The CAP emphasizes general HIPAA compliance and the importance of conducting the security risk analyses at regular or as-needed intervals, implementing responsive risk management plans, and updating training materials and policies and procedures. This emphasis is consistent with our experience in working with healthcare clients on OCR investigations and are proving to be the most important and fundamental compliance tools a covered entity should have.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:


BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.