The Office for Civil Rights (OCR) is responsible for enforcing civil rights laws that apply to recipients of federal financial assistance from the U.S. Department of Health and Human Services. OCR also enforces Federal Health Care Provider Conscience Protection statutes, as well as Title II of the Americans with Disabilities Act as it applies to state and local government health and social service agencies.
OCR reported recently that it had arranged to settle potential violations of the HIPAA privacy and security regulations with Cancer Care Group, Inc. The violations stem from an incident that occurred on August 29, 2012, which is when Cancer Care informed OCR about a theft.
At that time, a laptop in a case was stolen from an employee’s car. The problem is that along with the laptop the bag also contained unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care patients. This has led to OCR levying a $750,000 fine on Cancer Care.
The ultimate result was a breach of unsecured electronic protected health information (ePHI). According to OCR, Cancer Care was in widespread non-compliance with the HIPAA Security Rule. Several problems were stated in OCR’s press release concerning Cancer Care’s actions.
It seems that the provider had not conducted an enterprise-wide risk analysis, nor did it actually have in place any type of written policy concerning the removal of hardware and electronic media containing ePHI into and out of its facilities even though this was common practice within the organization.
A released statement said, “OCR found that these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified the removal of unencrypted back-up media as a significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility.”
It was not really the theft of the laptop that OCR was concerned about. In fact according to a KPMG report, in the past two years 81 percent of hospitals and health insurance companies have had data breaches. It is the alleged lack of safeguards and compliance that could potentially have prevented the breach from happening in the first place.
Cancer Care has agreed to complete an OCR-imposed corrective action plan. The plan describes that Cancer Care needs to get OCR’s approval before it can proceed with key compliance steps, along with the practice having to provide its risk assessment to OCR within 90 days of the effective date of the settlement agreement, and await OCR’s approval.
Afterwards, it will have to go through a similar process with respect to other components of the HIPAA security rules. This includes the development of a risk management plan, as well as a training program. In addition, Cancer Care must also provide an annual report to OCR for at least three years concerning updates or changes to its risk management plan.
These are just a few of the stipulations that Cancer Care will have to follow over the next couple of years. As Cancer Care found out, data management needs to be taken seriously. Regardless of the type, no business wants to have a breach, but without proper precautions in place to avoid them, especially when they involve personal, medical or financial information, the data is at risk.