An oncology practice in Indiana has to pay a $750,000 fine to the Office of Civil Rights (OCR) of the U.S Department of Health and Human Services. The fine results from the theft of a laptop computer and an unencrypted backup device (e.g., thumb drive) from an employee’s car. The OCR’s investigation concluded that, while the laptop held no protected health information (PHI), the backup device contained PHI for 55,000 patients of the practice. The oncology practice’s culpability resulted, in part, from its failure to prepare and implement a written policy specific to the removal of hardware and electronic media from its facilities. The OCR’s director noted that “proper encryption of mobile devices … reduces the likelihood of a breach of [PHI].” The OCR found that the oncology practice was not in compliance with the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA). In addition to the fine, the oncology practice entered into a resolution agreement with the OCR requiring the practice to implement a corrective action plan.
This most recent enforcement highlights the need for companies of all sizes to conduct comprehensive enterprise-wide risk analysis on a regular basis and develop reasonable safeguards for the common scenarios identified that increase risks. Those safeguards should be documented in specific written security and privacy policies. The OCR’s comments on the situation also highlight that the OCR does not look kindly on the failure to use appropriate encryption.
For questions or assistance, including about HIPAA compliance, please contact Tim Swan or Jane Hils Shea in Frost Brown Todd’s Privacy and Information Security Law Practice Group, or Chad Eckhardt in the Health Law Practice Group.