e-mail Print Share

Indiana physician practice potentially violates HIPAA after employee laptop stolen

September 09, 2015

Indianapolis — A stolen laptop led a radiation oncology practice in Indiana to agree to settle potential HIPAA violations, pay the federal government $750,000 and adopt a corrective action plan to fix deficiencies in its compliance program.

Cancer Care Group, P.C. is a private physician practice with 13 radiation oncologists serving hospitals and clinics throughout Indiana. On Aug. 29, 2012, Cancer Care notified the Office for Civil Rights that a laptop bag was stolen from an employee’s car, according to an OCR news release. The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of about 55,000 current and former patients.

OCR’s subsequent investigation found that, prior to the breach, Cancer Care was in widespread noncompliance with the Health Insurance Portability and Accountability Act Security Rule. It had not conducted an enterprisewide risk analysis when the breach occurred and did not have a written policy specific to the removal of hardware and electronic media containing electronic protected health information into and out of its facilities, even though this was common practice within the organization, according to OCR.

OCR found that these two issues, in particular, contributed to the breach. An enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s electronic protected health information. Additionally, a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing electronic protected health information from the facility, according to the news release.

“Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information,” said OCR Director Jocelyn Samuels. “Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”

Cancer Care has taken corrective action with regard to the specific requirements of the Privacy and Security Rules that are at the core of this enforcement action, as well as actions to come into compliance with the other provisions of the HIPAA rules, OCR reported.

The ADA Complete HIPAA Compliance Kit has tools to help dentists comply with the law, including information about securing laptops through full-disk encryption. The kit — $300 for members and $450 retail — includes sample policies and procedures; a revised sample business associate agreement; a revised sample of a notice of privacy practices; a glossary of key terms; and a digital version to help tailor the content to a specific practice.

The kit also includes the ADA Practical Guide to HIPAA Training — a two level CD-ROM training program.

Visit adacatalog.org to order these products. To receive a 15 percent discount, use promo code 15120 by Nov. 13.