Skip to Content

Another HIPAA Security Rule Settlement Underscores the Importance of Risk Analysis and Device Management

Publications - Client Alert | September 2, 2015
Cancer Care Group, PC

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced today a $750,000 settlement with Cancer Care Group, PC (CCG) in Indiana. This group is a 13-physician radiology oncology practice in Indiana.

OCR was notified in 2012 regarding a breach of unsecured electronic protected health information (ePHI) following the theft of a Cancer Care Group employee’s laptop and backup media. The laptop and media were both unencrypted and contained ePHI of approximately 55,000 current and former patients.

OCR investigated Cancer Care Group after receiving the breach notification and discovered widespread non-compliance with the HIPAA Security Rule dating back to the Security Rule’s effective date in 2005. Most notably, OCR concluded that Cancer Care Group “failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of ePHI held by CCG (See 45 C.F.R. § 164.308(a)(1)(ii)(A))” and “failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility (See 45 C.F.R. § 164.310(d)(1)).”

Read the HHS press release here.

The Resolution Agreement and Corrective Action Plan for Cancer Care Group, PC is available here.

HHS continues to remind organizations that a HIPAA risk assessment is a critical, key and mandatory component of compliance with the Security Rule.

Risk Analysis Requirement

In a July 14, 2010 guidance document, the OCR explained that there are several elements to risk analysis:

  • Gather data on where ePHI is stored, received, maintained or transmitted.
  • Identify and document potential threats and vulnerabilities.
  • Assess current security measures.
  • Determine the likelihood of threat occurrence.
  • Determine the potential impact of threat occurrence.
  • Determine the level of risk.
  • Document each step in the process.
  • Review and update risk analysis periodically.

The risk analysis is a stand-alone requirement, but it is the touchstone that an organization must use when determining how to implement the other HIPAA Security Rule requirements.

Covered Entities and their Business Associates must comply with the HIPAA Security Rule. It is a challenging set of rules for organizations of all sizes, and requires periodic reviews and updates as the organization undergoes structural and organizational changes as well as updates to address changes to the risk environment the organization faces. The risks are real, significant and grow each day.

Additional Information

If your organization is in need of a HIPAA compliance review or training, please contact your Kutak Rock attorney or the author of this client alert.