This large fine offers some very important lessons. Let’s take a closer look:
- Cancer Care Group is a mid-size practice. They have 18 physicians. It is important to note the size of the organization. Many organizations incorrectly believe that large HIPAA fines are only handed out to hospitals and very large healthcare organizations.
- The HIPAA fine was triggered by a stolen laptop bag that contained unencrypted backup media which contained information on 55,000 patients
- OCR made it very clear that the fine was handed out because Cancer Care Group basically ignored the HIPAA Security Rule requirements
- The $750,000 OCR fine may pale in comparison to the cost of this data breach. Using the Ponemon 2015 Cost of Data Breach Study, let’s assume the cost is $398 per record. 55,000 records would put the cost of this breach to Cancer Care Group just shy of $20 million!
- Assuming Cancer Care Group had between 100-250 employees, a HIPAA compliance program would have cost them about $4,000. They would have completed an enterprise-wide risk analysis, they would have been informed about the risk of unencrypted backup media, they would have had policies that address the removal of media that contained electronic protected health information (ePHI), and their employees would have received HIPAA Security and Privacy training. I can say with certainty that in hindsight they would gladly have paid $4,000 in exchange for a $750,000 fine and all the negative publicity they have received.
- Another fact that should be noted is that most malpractice or general liability insurance policies DO NOT cover HIPAA related fines. Unless Cancer Care Group had a specific insurance policy that covers HIPAA related fines, they will most likely have to pay this fine out of their own pocket. But even if they had HIPAA insurance there is a chance that the insurance company will not pay the fine due to gross negligence, just ask Cottage Health System.
- OCR is sending a very clear message to healthcare organizations. The message is that if you have a data breach and OCR finds that you have ignored HIPAA requirements, there is a good chance that you will be handed a very large fine. While the chance of being randomly audited is very small, the chance of having a data breach is much higher. Data breaches can happen due to lost or stolen laptops and USB drives, they can happen due to someone breaking into an office and stealing computers, they can happen due to employee mistakes, and they can happen if someone hacks into an organization’s network. The chance of a data breach increases every day. If OCR investigates the data breach they will want proof that the organization has complied with HIPAA regulations and that they have put in place safeguards to properly protect patient information. Breaches happen and many times OCR investigates and does not hand out any fines. But as this case shows, if OCR finds that you ignored HIPAA regulations, be prepared to be penalized!
On August 29, 2012, OCR received notification from Cancer Care regarding a breach of unsecured electronic protected health information (ePHI) after a laptop bag was stolen from an employee’s car. The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care patients.
OCR’s subsequent investigation found that, prior to the breach, Cancer Care was in widespread non-compliance with the HIPAA Security Rule. It had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012. Further, Cancer Care did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization. OCR found that these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility.
“Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information,” said OCR Director Jocelyn Samuels. “Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”