$750K HIPAA fine for Indianapolis practice

Cancer Care Group, a radiation oncology practice in Indianapolis, faces a $750,000 HIPAA settlement from the Department of Health and Human Services for failing to encrypt devices and laptops containing patient data. The practice agreed to pay the sum to settle alleged HIPAA violations involving a breach that occurred three years ago.

In August 2012, Cancer Care reported a HIPAA security breach to the the Office for Civil Rights when an unencrypted server backup media and laptop was stolen from an employee's car. The device contained the protected health information, Social Security numbers and insurance data for about 55,000 patients.

The Office for Civil Rights' investigation discovered that even before the breach Cancer Care was in "widespread non-compliance with the HIPAA Security Rule," the Department of Health and Human Services said. .

Cancer Care failed to conduct an enterprise-wide risk analysis when the laptop and device were stolen, and had no written policy in place addressing or controlling the removal of electronic media from its locations. The practice also hadn't addressed these deficiencies since 2005--the year the security rule compliance date went into effect. 

"Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients' health information," said OCR Director Jocelyn Samuels, in a statement. "Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information."

The settlement includes a corrective action plan for Cancer Care that requires conducting a risk analysis to be submitted for review by HHS. The practice also will need to develop and put in place an enterprise-wide risk management plan that addresses security risks, data systems and portable electronic devices. It also must update its policies and employee training program. HHS will review all of the measures.

 

Beth Walsh,

Editor

Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.