On September 2, 2015, the U.S. Department of Health and Human Services Office for Civil Rights (OCR)
announced a substantial settlement with an
Indiana-based oncology group, Cancer Care Group, P.C. (CCG). Under the terms of the settlement, the group paid $750,000 in fines and has agreed to adopt a
lengthy corrective action plan detailed in a
The CCG settlement comes after an OCR investigation revealed potential violations of the Health Insurance Portability and Accountability Act of 1996
(HIPAA) Privacy, Security, and Breach Notification Rules. OCR opened its investigation following a report that a CCG workforce member left a laptop bag
unattended in his car, where it was stolen by a third party. The laptop bag included the member’s computer, which was encrypted and did not contain
electronic protected health information (ePHI), and a computer server backup media, which was not encrypted and contained the ePHI of approximately 55,000
individuals. The OCR investigation revealed that CCG failed to properly secure the ePHI contained on the backup media, and did not have in place a written
policy regarding the removal of hardware and electronic media containing ePHI into and out of its facilities. The investigation also revealed that CCG
failed to conduct an assessment or implement policies and procedures addressing the incident. Accordingly, OCR concluded that CCG was in widespread
noncompliance with the HIPAA Security Rule.
In addition to paying $750,000, CCG agreed to implement an extensive Corrective Action Plan (CAP). The CAP includes CCG’s commitment to conduct a thorough
analysis of security risks and vulnerabilities relating to the storage, transmission and receipt of ePHI and to provide a report to HHS for approval within
90 days. Based on the findings of the report, CCG will review and revise its policies, procedures and training programs, and submit proposed revisions to
HHS for review and approval. In addition, CCG has agreed to submit annual reports for three years regarding the status and findings of CCG’s compliance
with the CAP.
The recent CCG settlement is another example of increased emphasis that OCR is placing on security of PHI stored electronically. Following this incident,
OCR Director Jocelyn Samuels warned that "[o]rganizations must complete a comprehensive risk analysis and establish strong policies and procedures to
protect patients’ health information" and advised that “proper encryption of mobile devices and electronic media reduces the likelihood of a breach of
protected health information.”
If you need assistance with the implementation of a compliance program to minimize risks to health information privacy and security, please do not hesitate
to contact one of the authors of this article.