In a recent enforcement action, Office for Civil Rights (OCR) emphasized the importance of proactive security measures to protect electronic protected health information (ePHI) in accordance with the HIPAA Privacy and Security Rules.
OCR announced a settlement with Cancer Care Group, PC (CCG), for failure to conduct an enterprise-wide risk analysis and adopt written policies on the removal of electronic media containing ePHI. CCG, a radiation oncology private physician practice with 13 oncologists that serve hospitals and clinics throughout Indiana, agreed to pay $750,000 and implement a comprehensive corrective action plan.
OCR initiated an investigation after CCG submitted a breach report regarding the theft of a laptop contained in a laptop bag from an employee’s car. Although the laptop did not contain ePHI, the bag did include unencrypted backup media with the names, addresses, dates of birth, Social Security numbers, insurance information, and clinical information of approximately 55,000 current and former CCG patients.
During the investigation, the OCR found widespread noncompliance with the Security Rule. The OCR determined that CCG’s non-compliance contributed to the breach and concluded that had CCG taken action proactively the breach could have been avoided.
Steps to Comply with HIPAA Regulations
- Perform a HIPAA Risk Assessment.
- Address the vulnerabilities revealed in the Risk Assessment.
- Write and enforce policies and procedures related to security of ePHI including a sanctions policy.
- If you do not encrypt, ensure that you have documentation to support your reasoning and implement compensating controls.
- Train (and re-train) employees!
- Make sure your Business Associates have their own privacy and security policies and enforce them.
Review system activity! Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Written by: Samantha Prokop, Healthcare Attorney