On September 2, the Office for Civil Rights (OCR) and the U.S. Department of Health and Human Services (HHS) announced its agreement to settle potential HIPAA violations with Cancer Care Group, P.C. for $750,000 after a Cancer Care employee’s laptop was stolen from his car and with it, the unsecured electronic health information of approximately 55,000 patients. The HHS press release highlighted some significant take-away points from this increasingly common healthcare data breach story.
Compliance Programs May [Partially] Save You If A Breach Occurs
Healthcare providers usually don’t expect a breach, but if a breach occurs, providers who have compliance programs in place are less likely to face stringent OCR enforcement action. In Cancer Care Group’s case, OCR investigation revealed the provider was in “widespread non-compliance with the HIPAA Security Rule,” and according to the HHS press release, the group “had not conducted an enterprise-wide risk analysis…[and] did not have in place written policy specific to the remove of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization.” Press Release, U.S. Dept. of Health and Human Serv., $750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policies (Sept. 2, 2015). In fact, OCR found, “these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility.” Id.Therefore, OCR’s criticism did not focus on the fact that the laptop was stolen—rather, it was the lack of a compliance program that drew the agency’s critique. Therefore, any healthcare based business that stores protected health information needs to have a stringent compliance program which not only protects a patient’s privacy from data breaches, but may also protect businesses from hefty penalties if such breaches do occur.
Small to Mid-Sized Practices – You Are Not Immune
Recent coverage of data breaches in large health-based companies such as UCLA Health Systems (affecting 4.5 million individuals), health insurer Excellus BlueCross BlueShield (affecting 10 million individuals), or health giant Anthem (affecting 80 million individuals) may lead small to mid-sized practices to believe they are not vulnerable to either a data breach or government investigation for HIPAA violations. Wrong! With only 13 radiation oncologist physicians at Cancer Care, the group was not small but certainly was not a national provider either. If a practice like Cancer Care can be the victim of a data breach and the subsequent subject of an OCR investigation for HIPAA violations, so can other smaller practices—and the fine can be just as crippling. In other words, healthcare businesses should not be of the mindset that they are too small to be noticed for HIPAA noncompliance by flying under the radar.
The weakest link in security is often people (not hackers)
One of the foremost important lesson learned from the Cancer Care story is that human error is often responsible for data breaches, so the continual training of employees must be a vital part of an overall compliance program. Cancer Care was not the victim of hackers who stole valuable patient health information. Instead, the breach followed an employee who had left his laptop in his car which was subsequently broken into and the laptop was stolen. No hackers were present. No cyberattacks occurred. In fact, Michael Bruemmer, vice president of Experian Data Breach Resolutions, said 80% of the root cause of data breaches is employee negligence. Marianne Kolbasuk McGee, “Biggest Health Data Breaches in 2014,” Data Breach Today, Dec. 22, 2014, available at http://www.databreachtoday.com/biggest-health-data-breaches-in-2014-a-7705. Since employees are often the weakest link in a security system, vulnerable to negligence such as losing laptops and clicking on phishing emails, one of the most important parts of an effective compliance program is employee training and continual re-training.
Don’t prepare for a HIPAA audit – prepare for a breach!
The law of numbers suggests that an individual’s healthcare based practice will likely not be the subject of a HIPAA audit, even if noncompliance is rampant. However, since recent surveys show 80% of health IT leaders have suffered some degree of cyberattack, the same law of numbers suggests that a great majority of healthcare practices are at risk for a data breach—and if noncompliance is rampant, the subsequent OCR and HHS investigation can be very costly both in terms of fines and reputation. Joseph Conn, “80% of Health IT Leaders Say Their Systems Have Been Compromised,” Modern Healthcare, August 26, 2015, available at http://www.modernhealthcare.com/article/20150826/NEWS/150829921. For Cancer Care, government agencies did not audit the group for HIPAA noncompliance. Instead, Cancer Care was the victim of a data breach, and the subsequent government investigation revealed vast compliance violations that led to the $750,000 settlement. So, any business that stores electronic protected health information (ePHI) must change their mindset from one that prepares for HIPAA audits which rarely occur, to one that is prepared to defend itself against a data breach which is becoming all too common.
So, for healthcare practices—big or small—it seems like the most important lesson learned from the Cancer Care Group data breach is that a good offense is the best defense. It may cost businesses to set up a proper compliance program, but can likely avoid hundreds of thousands of dollars in fees (as well as an immeasurable sum in battered reputation) in the future.
If you have questions or would like to have an initial free consultation regarding HIPAA compliance of your healthcare business, please contact us today.