Don’t lose your laptop! New HIPAA settlement emphasizes importance of risk analysis and device and media controls

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.lexology.com/library/detail.aspx?g=2f5a4d90-1450-4c8d-8a4c-74450a57f95e

On September 2, 2015, the US Department of Health and Human Services,
Office for Civil Rights (OCR) announced a new settlement for $750,000 with
Cancer Care Group, P.C. (Cancer Care) to resolve potential violations of
the HIPAA Privacy and Security Rules identified as the result of the theft
of a laptop and backup media.  As part of the Resolution Agreement, Cancer
Care also will adopt a corrective action plan to correct deficiencies in
its HIPAA compliance program.  Cancer Care is a private radiation oncology
practice with 13 radiation oncologists providing services throughout
Indiana.

OCR’s investigation began in August 2012, after Cancer Care reported a
breach of unsecured protected health information when a laptop bag
containing an employee’s computer and unencrypted backup media was stolen
from the employee’s car.  The computer and unencrypted backup media
contained protected health information (PHI) and financial information for
approximately 55,000 current and former patients.  During the course of its
investigation, OCR discovered that Cancer Care had never conducted an
enterprise-wide risk analysis before the breach occurred, despite the
Security Rule requiring since April 2005 that covered entities conduct a
risk analysis.  (This requirement was extended to business associates under
the Health Information Technology for Economic and Clinical Health (HITECH)
Act in 2009 and through regulation effective September 23, 2013.)  Cancer
Care also did not have in place a written policy specific to the movement
of hardware and electronic media containing PHI into and out of its
facilities, even though this movement was a common practice.

This settlement provides a useful reminder to covered entities and business
associates about the importance of conducting a thorough risk analysis.  As
OCR continues to emphasize, a good risk analysis serves as the basis for an
entity’s HIPAA compliance program by providing the entity with a road map
for the policies and procedures that must be put in place to mitigate
potential risks.  In this case, OCR found that an enterprise-wide risk
analysis would have identified the removal of unencrypted backup media as
an area of significant risk, and if a comprehensive device and media
controls policy had been developed and implemented based on the
identification of this potential risk, this policy may have prevented the
behavior that resulted in the breach.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!