Although most civil money penalties (“CMPs”) to date have involved risk analysis—that is, failure to do one, failure to do a complete one, or failure to update one—and although this risk—that is, a six- or seven-figure fine or settlement in lieu thereof— has been well documented as such, we continue to see failures to meet this standard of the Security Rule. Thus, we have another HIPAA settlement.
The Department of Health and Human Services (“DHHS”) Office for Civil Rights (“OCR”) has settled the lack of a timely risk analysis for $750,000 with Cancer Care Group, P.C., a 13-clinician practice. This violation resulted from the theft of an unencrypted laptop and back-up media from an employee’s car containing protected health information (“PHI”) of 55,000 of the Group’s patients.
An OCR investigation found the lack of an enterprise-wide risk analysis. In addition, Cancer Care Group did not have in place a written policy specific to the removal of hardware and electronic media containing electronic protected health information (“EPHI”) from its facilities.
Besides paying the $750,000 fine, according to the OCR press release, Cancer Care Group must, as part of the Resolution Agreement with OCR, comply with a “robust” corrective action plan (“CAP”). The CAP requires the Group to take a number of steps, including a risk analysis.
Maybe, we should title these blog posts on HIPAA risk analysis, policies and procedures, and training something like “Do it now or do it later.” We have resources to help you on our Veterans Press website. No, our HIPAA compliance tools and services are not cheap, but they are certainly a lot cheaper than that free trip to Leavenworth or that expensive trip to the bank, as my trusty cohort and editor, Alice McCart, likes to say.