$750K HIPAA fine for Indianapolis practice

Cancer Care Group, a radiation oncology practice in Indianapolis, faces a $750,000 HIPAA settlement from the Department of Health and Human Services for failing to encrypt devices and laptops containing patient data. The practice agreed to pay the sum to settle alleged HIPAA violations involving a breach that occurred three years ago.

In August 2012, Cancer Care reported a HIPAA security breach to the the Office for Civil Rights when an unencrypted server backup media and laptop was stolen from an employee's car. The device contained the protected health information, Social Security numbers and insurance data for about 55,000 patients.

The Office for Civil Rights' investigation discovered that even before the breach Cancer Care was in "widespread non-compliance with the HIPAA Security Rule," the Department of Health and Human Services said. .

Cancer Care failed to conduct an enterprise-wide risk analysis when the laptop and device were stolen, and had no written policy in place addressing or controlling the removal of electronic media from its locations. The practice also hadn't addressed these deficiencies since 2005--the year the security rule compliance date went into effect. 

"Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients' health information," said OCR Director Jocelyn Samuels, in a statement. "Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information."

The settlement includes a corrective action plan for Cancer Care that requires conducting a risk analysis to be submitted for review by HHS. The practice also will need to develop and put in place an enterprise-wide risk management plan that addresses security risks, data systems and portable electronic devices. It also must update its policies and employee training program. HHS will review all of the measures.

 

Beth Walsh,

Editor

Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.

Around the web

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”

FDA Commissioner Robert Califf, MD, said the clinical community needs to combat health misinformation at a grassroots level. He warned that patients are immersed in a "sea of misinformation without a compass."

Trimed Popup
Trimed Popup