OCR Fines Cancer Care Group $750K for Potential HIPAA Security Violations

Sept. 3, 2015
An Indiana-based radiation oncology practice, Cancer Care Group, P.C., agreed to pay $750,000 in potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules stemming from a 2012 data breach.

An Indiana-based radiation oncology practice, Cancer Care Group, P.C., agreed to pay $750,000 in potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules stemming from a 2012 data breach.

The settlement was agreed upon with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). In addition to the fines, the practice will adopt a corrective action plan to correct deficiencies in its HIPAA compliance program, according to OCR.

The potential violations stem from an incident in July 2012 regarding a breach of unsecured electronic protected health information (ePHI). Cancer Care notified OCR that an employee’s laptop bag was stolen, including the theft of unencrypted backup media containing names, addresses, Social Security numbers, insurance information and clinical information for 55,000 current and former patients.

According to OCR, a subsequent investigation of the breach found that “Cancer Care was in widespread non-compliance with the HIPAA Security Rule.” The practice failed to conduct an enterprise-wide risk analysis at the time of the breach, and it also did not have a written policy in place regarding the removal of hardware and electronic media containing ePHI into and out of its facilities.

“Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information,” OCR Director Jocelyn Samuels said in a statement. “Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”

Cancer Care has taken corrective action with regard to the specific requirements of the Privacy and Security Rules that are at the core of this enforcement action, as well as actions to come into compliance with the other provisions of the HIPAA rules, according to OCR.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?