BreachExchange mailing list archives
Don’t lose your laptop! New HIPAA settlement emphasizes importance of risk analysis and device and media controls
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 14 Sep 2015 18:14:39 -0600
http://www.lexology.com/library/detail.aspx?g=2f5a4d90-1450-4c8d-8a4c-74450a57f95e On September 2, 2015, the US Department of Health and Human Services, Office for Civil Rights (OCR) announced a new settlement for $750,000 with Cancer Care Group, P.C. (Cancer Care) to resolve potential violations of the HIPAA Privacy and Security Rules identified as the result of the theft of a laptop and backup media. As part of the Resolution Agreement, Cancer Care also will adopt a corrective action plan to correct deficiencies in its HIPAA compliance program. Cancer Care is a private radiation oncology practice with 13 radiation oncologists providing services throughout Indiana. OCR’s investigation began in August 2012, after Cancer Care reported a breach of unsecured protected health information when a laptop bag containing an employee’s computer and unencrypted backup media was stolen from the employee’s car. The computer and unencrypted backup media contained protected health information (PHI) and financial information for approximately 55,000 current and former patients. During the course of its investigation, OCR discovered that Cancer Care had never conducted an enterprise-wide risk analysis before the breach occurred, despite the Security Rule requiring since April 2005 that covered entities conduct a risk analysis. (This requirement was extended to business associates under the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 and through regulation effective September 23, 2013.) Cancer Care also did not have in place a written policy specific to the movement of hardware and electronic media containing PHI into and out of its facilities, even though this movement was a common practice. This settlement provides a useful reminder to covered entities and business associates about the importance of conducting a thorough risk analysis. As OCR continues to emphasize, a good risk analysis serves as the basis for an entity’s HIPAA compliance program by providing the entity with a road map for the policies and procedures that must be put in place to mitigate potential risks. In this case, OCR found that an enterprise-wide risk analysis would have identified the removal of unencrypted backup media as an area of significant risk, and if a comprehensive device and media controls policy had been developed and implemented based on the identification of this potential risk, this policy may have prevented the behavior that resulted in the breach.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Don’t lose your laptop! New HIPAA settlement emphasizes importance of risk analysis and device and media controls Audrey McNeil (Sep 15)