On September 2, the Department of Health and Human Services Office of Civil Rights (OCR) announced a settlement with Cancer Care Group, P.C., a thirteen-physician oncology practice in Indiana related to violations of the HIPAA Privacy and Security Rules. Under the settlement, Cancer Care Group will pay $750,000 in fines and penalties and will enter into a robust corrective action plan.

In August 2012, Cancer Care Group reported a breach of ePHI that resulted from computer hardware stolen from an employee’s car. That computer contained personal information and medical records for 55,000 patients. During the subsequent investigation, OCR discovered pervasive non-compliance with HIPAA and its regulations. Fundamentally, Cancer Care Group had failed to conduct a rigorous risk analysis of its practices, which is a foundational requirement for all HIPAA compliance programs. Additionally, they did not have the appropriate policies and procedures in place to comply with the data protection obligations imposed on all Covered Entities and Business Associates by the HIPAA Privacy and Security Rule.

This settlement agreement highlights the seriousness with which OCR views HIPAA non-compliance. Most striking is that penalties of this magnitude were imposed on a small physician organization, while most HIPAA enforcement actions have been aimed at hospitals or other large organizations. This shows an increasing emphasis from OCR on HIPAA compliance for all organizations, no matter their size or provider type. Also, that the action arose out of a self-reported breach (as is required under HIPAA) demonstrates that all entities subject to HIPAA are at risk of investigation and penalties, even if they comply with self-reporting requirements. Finally, the cost of a corrective action plan can exceed even a high amount of penalties, if serious deficiencies are uncovered. All providers should take immediate proactive steps to conduct a thorough risk assessment and analysis of their HIPAA compliance program.