Many have talked about how HIPAA audits have yet to materialize. But for some providers, HIPAA-related investigations are very much a reality. Take the story of Cancer Care Group, Inc., located in Indiana, which provides a cautionary tale of what could happen if a covered entity does not do everything in its power to ensure HIPAA compliance.
On September 2, the U.S. Department of Health and Human Service’s Office for Civil Rights (OCR) reported that it agreed to settle potential violations of HIPAA with the Cancer Care Group for a sizeable $750,000. Not only will the Cancer Care Group have to pay up, but it also had to agree to a three-year corrective action plan that OCR will monitor.
Here’s what happened (and it’s something that is, unfortunately, a fairly common occurrence and easy mistake to make): On August 29, 2012, the OCR was notified by the Cancer Care Group that there was a breach of unsecured electronic PHI due to a laptop bag being stolen from an employee’s car. The bag contained the employee’s computer and unencrypted back-up media that contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care patients, according to the government. OCR said the Cancer Care Group did not have a written policy to routinely remove back-up media from devices that left the clinics, which contributed to the breach.
Although the HIPAA audits have been delayed several times — and at the beginning of this year OCR Director Jocelyn Samuels couldn’t give a definitive timeline for the audits — the government can still investigate alleged violations, even if they’re self-reported by an organization. However, a 2014 survey by NueMD — a seller of cloud-based medical practice software — of more than 1,000 healthcare providers and administrators found that most doctors are unprepared, with only 32% of respondents indicating they knew about the HIPAA audits at all.
In an article about the Cancer Care Group settlement, the National Law Review urges covered entities and business associates “to ensure that risk assessments and policies are up to date, are well documented, and provide for adequate safeguards for the nature and scope of the business involved.”