September 13, 2015

Health Care Privacy Alert: How a Stolen Laptop Cost one Medical Group $750,000

Related Attorneys

By Sarah Mills, Stoll Keenon Ogden PLLC

If you think your business has a low risk of incurring fines for violating the privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA), think again.

The U.S. Department of Health and Human Services, Office for Civil Rights (HHS) is aggressively pursuing physician practice groups for HIPAA violations, even when privacy and security measures are promptly enacted after a breach of unsecured electronic protected health information (ePHI). A case settled early this month underscores the risks of delayed compliance.

What Was Lost
In August 2012, Cancer Care Group, P.C. (CCG) notified HHS that a laptop and unencrypted backup tapes were stolen from an employee’s vehicle. The unencrypted backup media contained ePHI for approximately 55,000 individuals including names, addresses, birthdates, Social Security numbers, insurance information and clinical information.

What HHS Discovered
The practice did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities of its ePHI as part of its security management process until three months later.

Making matters worse, CCG did not have fully written policies, procedures and training in place regarding breach notification rules and requirements under HIPAA until January 2013.

HHS said CCG impermissibly disclosed ePHI of up to 55,000 individuals by providing an unauthorized person access to the ePHI, for a purpose not permitted by the privacy rules under HIPAA, when it failed to safeguard unencrypted back-up tapes that were stolen from an unattended vehicle.

The Expensive Results
On August 31, 2015, CCG and HHS entered into a resolution agreement. CCG agreed to pay $750,000 to settle claims that it violated HIPAA. CCG did not admit liability, but agreed to a corrective action plan to address deficiencies in its HIPAA compliance program. The corrective action plan requires CCG to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, and provide an implementation report to HHS. Here’s the resolution agreement.

What You Should Do
We’ve seen other enforcement cases where federal regulators look to make examples by targeting crime victims where health information privacy breaches were the result of the crime. And since no one will ever solve the pervasive problem of employees leaving their personal electronics unguarded, now is an excellent time to review your practice’s current encryption procedures, internal controls on electronic devices, or your entire compliance program.

SKO’s Privacy and Information Security practice group can help ensure your compliance and the privacy of your clients. Contact Sarah Mills, David Lester, Harry Dadds, Douglas Brent or Wade Hendricks.