Health IT Pulse

Sep 17 2015   3:36PM GMT

$750,000 settlement points to the need for strong HIPAA policies

Kristen Lee Kristen Lee Profile: Kristen Lee

Tags:
HIPAA
HIPAA audits
HIPAA Compliance
HIPAA data breach
HIPAA enforcement
HIPAA healthcare data

Many have talked about how HIPAA audits have yet to materialize. But for some providers, HIPAA-related investigations are very much a reality. Take the story of Cancer Care Group, Inc., located in Indiana, which provides a cautionary tale of what could happen if a covered entity does not do everything in its power to ensure HIPAA compliance.

On September 2, the U.S. Department of Health and Human Service’s Office for Civil Rights (OCR) reported that it agreed to settle potential violations of HIPAA with the Cancer Care Group for a sizeable $750,000. Not only will the Cancer Care Group have to pay up, but it also had to agree to a three-year corrective action plan that OCR will monitor.

Here’s what happened (and it’s something that is, unfortunately, a fairly common occurrence and easy mistake to make): On August 29, 2012, the OCR was notified by the Cancer Care Group that there was a breach of unsecured electronic PHI due to a laptop bag being stolen from an employee’s car. The bag contained the employee’s computer and unencrypted back-up media that contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care patients, according to the government. OCR said the Cancer Care Group did not have a written policy to routinely remove back-up media from devices that left the clinics, which contributed to the breach.

Although the HIPAA audits have been delayed several times — and at the beginning of this year OCR Director Jocelyn Samuels couldn’t give a definitive timeline for the audits — the government can still investigate alleged violations, even if they’re self-reported by an organization. However, a 2014 survey by NueMD — a seller of cloud-based medical practice software — of more than 1,000 healthcare providers and administrators found that most doctors are unprepared, with only 32% of respondents indicating they knew about the HIPAA audits at all.

In an article about the Cancer Care Group settlement, the National Law Review urges covered entities and business associates “to ensure that risk assessments and policies are up to date, are well documented, and provide for adequate safeguards for the nature and scope of the business involved.”

2  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • PrivateEye
    HIPPA audits are certainly important for many organizations as compliance is a very real concern. This white paper discusses HIPPA compliance and explains how there is some visual technology that will help stop eavesdropping while ensuring HIPAA compliance and documenting compliance issues: http://www.privateeyeenterprise.com/wp-content/uploads/2015/07/OptioLabs_HealthCare_Whitepaper.pdf
    10 pointsBadges:
    report
  • qliqsoft
    HIPAA should be made mandatory for audits claiming hospitals are unaware doesn't end well.
    20 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: