An oncology practice in Indiana has to pay a $750,000 fine to the Office of Civil Rights (OCR) of the U.S Department of Health and Human Services. The fine results from the theft of a laptop computer and an unencrypted backup device (e.g., thumb drive) from an employee’s car. The OCR’s investigation concluded that, while the laptop held no protected health information (PHI), the backup device contained PHI for 55,000 patients of the practice. The oncology practice’s culpability resulted, in part, from its failure to prepare and implement a written policy specific to the removal of hardware and electronic media from its facilities. The OCR’s director noted that “proper encryption of mobile devices … reduces the likelihood of a breach of [PHI].” The OCR found that the oncology practice was not in compliance with the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA). In addition to the fine, the oncology practice entered into a resolution agreement with the OCR requiring the practice to implement a corrective action plan.
This most recent enforcement highlights the need for companies of all sizes to conduct comprehensive enterprise-wide risk analysis on a regular basis and develop reasonable safeguards for the common scenarios identified that increase risks. Those safeguards should be documented in specific written security and privacy policies. The OCR’s comments on the situation also highlight that the OCR does not look kindly on the failure to use appropriate encryption.