On September 2, 2015, the US Department of Health and Human Services, Office for Civil Rights (OCR) announced a new settlement for $750,000 with Cancer Care Group, P.C. (Cancer Care) to resolve potential violations of the HIPAA Privacy and Security Rules identified as the result of the theft of a laptop and backup media.  As part of the Resolution Agreement, Cancer Care also will adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.  Cancer Care is a private radiation oncology practice with 13 radiation oncologists providing services throughout Indiana.

OCR’s investigation began in August 2012, after Cancer Care reported a breach of unsecured protected health information when a laptop bag containing an employee’s computer and unencrypted backup media was stolen from the employee’s car.  The computer and unencrypted backup media contained protected health information (PHI) and financial information for approximately 55,000 current and former patients.  During the course of its investigation, OCR discovered that Cancer Care had never conducted an enterprise-wide risk analysis before the breach occurred, despite the Security Rule requiring since April 2005 that covered entities conduct a risk analysis.  (This requirement was extended to business associates under the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 and through regulation effective September 23, 2013.)  Cancer Care also did not have in place a written policy specific to the movement of hardware and electronic media containing PHI into and out of its facilities, even though this movement was a common practice.

This settlement provides a useful reminder to covered entities and business associates about the importance of conducting a thorough risk analysis.  As OCR continues to emphasize, a good risk analysis serves as the basis for an entity’s HIPAA compliance program by providing the entity with a road map for the policies and procedures that must be put in place to mitigate potential risks.  In this case, OCR found that an enterprise-wide risk analysis would have identified the removal of unencrypted backup media as an area of significant risk, and if a comprehensive device and media controls policy had been developed and implemented based on the identification of this potential risk, this policy may have prevented the behavior that resulted in the breach.