OCR Fines Cancer Care Group $750K for Potential HIPAA Security Violations | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

OCR Fines Cancer Care Group $750K for Potential HIPAA Security Violations

September 3, 2015
by Heather Landi
| Reprints

An Indiana-based radiation oncology practice, Cancer Care Group, P.C., agreed to pay $750,000 in potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules stemming from a 2012 data breach.

The settlement was agreed upon with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). In addition to the fines, the practice will adopt a corrective action plan to correct deficiencies in its HIPAA compliance program, according to OCR.

The potential violations stem from an incident in July 2012 regarding a breach of unsecured electronic protected health information (ePHI). Cancer Care notified OCR that an employee’s laptop bag was stolen, including the theft of unencrypted backup media containing names, addresses, Social Security numbers, insurance information and clinical information for 55,000 current and former patients.

According to OCR, a subsequent investigation of the breach found that “Cancer Care was in widespread non-compliance with the HIPAA Security Rule.” The practice failed to conduct an enterprise-wide risk analysis at the time of the breach, and it also did not have a written policy in place regarding the removal of hardware and electronic media containing ePHI into and out of its facilities.

“Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information,” OCR Director Jocelyn Samuels said in a statement. “Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”

Cancer Care has taken corrective action with regard to the specific requirements of the Privacy and Security Rules that are at the core of this enforcement action, as well as actions to come into compliance with the other provisions of the HIPAA rules, according to OCR.

Topics

News

Former Michigan Governor to Serve as Chair of DRIVE Health

Former Michigan Governor John Engler will serve as chair of the DRIVE Health Initiative, a campaign aimed at accelerating the U.S. health system's transition to value-based care.

NJ Medical Group Launches Statewide HIE, OneHealth New Jersey

The Medical Society of New Jersey (MSNJ) recently launched OneHealth New Jersey, a statewide health information exchange (HIE) that is now live.

Survey: 70% of Providers Using Off-Premises Computing for Some Applications

A survey conducted by KLAS Research found that 70 percent of healthcare organizations have moved at least some applications or IT infrastructure off-premises.

AMIA Warns of Tax Bill’s Impact on Graduate School Programs in Informatics

Provisions in the Republican tax bill that would count graduate student tuition waivers as taxable income would have detrimental impacts on the viability of fields such as informatics, according to the American Medical Informatics Association.

Appalachia Project to Study Relationship Between Increased Broadband Access, Improved Cancer Care

The Federal Communications Commission and the National Cancer Institute have joined forces to focus on how increasing broadband access and adoption in rural areas can improve the lives of rural cancer patients.

Survey: By 2019, 60% of Medicare Revenues will be Tied to Risk

Medical groups and health systems that are members of AMGA (the American Medical Group Association) expect that nearly 60 percent of their revenues from Medicare will be from risk-based products by 2019, according to the results from a recent survey.