HIPAA Privacy Breach Penalties: Don’t Let Them Happen to Your Anesthesiology Practice

Have you conducted an enterprise-wide analysis of the risk of a loss of unsecured electronic protected health information (ePHI)?  Do you have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of your office or OR suite?

Negative answers to those two questions were the major factors behind the ePHI breach that led to a $750,000 penalty levied against Cancer Care Group, P.C., a 13-physician radiation oncology practice with facilities throughout Indiana.

In August, 2012, the Cancer Care Group notified the Office of Civil Rights (OCR) in the Department of Health and Human Services that a laptop bag had been stolen from an employee’s car in Indianapolis, Indiana a month earlier.  According to the report, the laptop bag contained the employee’s computer, which did not contain ePHI, and computer server backup media, which contained the ePHI of approximately 55,000 individuals.  The ePHI included the Social Security numbers of patients, which would easily permit identity thieves to rack up debts in the names of the patients.  (There was no evidence that any patients in fact suffered any losses.)  During the course of its investigation—mandatory since the breach affected more than 500 individuals—OCR learned that a Cancer Care Group employee had left the unencrypted computer server backup media, unattended in the passenger section of his car, where it was then stolen by a third party who broke a window in the car.

As stated in OCR’s press release:

OCR’s subsequent investigation found that, prior to the breach, Cancer Care was in widespread non-compliance with the HIPAA Security Rule.  It had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012.  Further, Cancer Care did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization.  OCR found that these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility. 
The settlement agreement that Cancer Care Group entered into with OCR required, in addition to the $750,000 penalty, that the group implement a corrective action plan that involves taking the following steps:

conduct a risk analysis to be submitted for review by HHS;
develop and put in place an enterprise-wide risk management plan that addresses security risks, data systems and portable electronic devices; and
update its policies and employee training program, all of which are to be reviewed by HHS.
Not having performed a risk assessment and not having policies in place to protect ePHI were thus very expensive errors for the oncology group.  Every practice should pay close attention to the statement by OCR Director Jocelyn Samuels in the press release that “Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information.  Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”

OCR has attempted to make the number one task—which it admits is “challenging”—easier by making available a downloadable Security Risk Assessment (SRA) Tool to help guide users through the process.  (An iPad version is also available at the App Store.)  OCR explains that:

The SRA Tool takes you through each HIPAA requirement by presenting a question about your organization’s activities.  Your “yes” or “no” answer will show you if you need to take corrective action for that particular item.  There are a total of 156 questions.
Resources are included with each question to help you:

Understand the context of the question
Consider the potential impacts to your PHI if the requirement is not met
See the actual safeguard language of the HIPAA Security Rule
You can document your answers, comments, and risk remediation plans directly into the SRA Tool.  The tool serves as your local repository for the information and does not send your data anywhere else.

Completing a risk assessment requires a time investment.  At any time during the risk assessment process, you can pause to view your current results.  The results are available in a color-coded graphic view (Windows version only) or in printable PDF and Excel formats.

We note that HIPAA does not mandate encryption of ePHI , but every practice should at least consider encryption and document its decision in the course of its risk assessment.  A decision not to encrypt data could be reasonable, given the level of risk of exposure in certain circumstances.  According to an item in the online HIPAA Journal dated September 2, 2015 (New OCR HIPAA Penalty: Cancer Care Group to Pay $750,000), “a HIPAA-covered entity must consider data encryption for all PHI stored, transmitted, or backed up.  A HIPAA-covered entity can make an informed decision as to whether data encryption is a wise precaution, but that means first assessing the level of risk of potential exposure of that data.”

A September 9 alert on the McDonald Hopkins website contains this additional information:

[R]isk analysis, encryption and mobile device security were recurring themes at an OCR cosponsored conference last week (Sept. 2 and 3, 2015) on Safeguarding Health Information. OCR Director Jocelyn Samuels, as well as other speakers from OCR, the Federal Trade Commission (FTC), and other agencies, described risk analysis and risk management as cornerstones to security.  Covered entities and business associates will face additional scrutiny with OCR’s HIPAA audits, which OCR officials assured last week will begin soon.
At last week’s conference, Iliana Peters, the senior advisor for compliance and enforcement at OCR, praised CCG [Cancer Care Group] for providing innovative radiation oncology services to patients who otherwise wouldn’t have access.  This wasn’t enough, however, to prevent OCR from pursuing CCG for HIPAA violations.  The CCG settlement provides an important reminder that doing good doesn’t excuse even an innovative physician practice from its obligations to safeguard patient information.

We also call readers’ attention to the fact that to date, 28 organizations have paid out nearly $28.2 million to settle potential HIPAA violations, according to HHS data.  (E. McCann, Oncology group slapped with $750K HIPAA fine.  Healthcare IT News, September 2, 2015.)  

If a practice has not conducted a risk assessment or established policies—or made sure that these have been updated since 2005, when HIPAA first called for them—then the message to do so now should be clear.  Groups can do the necessary work themselves using the SRA tool mentioned above.  There are numerous firms with the requisite HIPAA security expertise that can also help; ABC can refer clients to such firms.  Having an up-to-date assessment and plan in place is important not just to limit one’s vulnerability to loss of ePHI, but also to satisfy the OCR in case of a breach and an investigation.  As we have seen, it is not enough to do almost everything else right.