Avoid HIPAA Violations by Assessing Risk and Encrypting Portable Media

A stolen laptop recently led to an investigation of a physician group and the payment of a $750,000 penalty to resolve the HIPAA violations.

The case involved Cancer Care Group, P.C. (CCG), one of the larges radiation oncology private physician practices in the country.

As required by the HIPAA Breach Notification Rule, CCG notified the Office of Civil Rights of a stolen laptop bag in July 2012.  According to the resolution agreement, the laptop itself did not contain protected health information (PHI).  However, the laptop bag also contained a computer server backup media which contained the PHI of approximately 55,000 individuals.  This unencrypted backup media was left in the passenger side of a workforce member’s car where it was stolen after a thief broke the window.

During its investigation, OCR’s findings included allegations that CCG did not conduct an accurate and thorough risk assessment, did not implement appropriate policies and procedures regarding the removal of hardware and media containing PHI and failed to safeguard the unencrypted backup media.

This HIPAA case is an important reminder to covered entities and business associates to conduct a risk assessment as required by the HIPAA Security Rule and to develop, implement and train workforce on policies addressing the proper handling of portable media.  It also reinforces the importance of encryption.  The HIPAA Breach Notification Rule only applies to the breach of unsecured protected health information.  In this case, if the portable backup media had been encrypted in accordance with the HIPAA standards, the theft would not have constituted a “Breach” as defined by the HIPAA Breach Notification Rule and the investigation and resulting settlement payments could have been avoided.

Speak Your Mind