ARTICLE
15 October 2015

HIPAA Fine Underscores OCR's Focus On Physician Group Compliance

B
BakerHostetler

Contributor

BakerHostetler logo
Recognized as one of the top firms for client service, BakerHostetler is a leading national law firm that helps clients around the world address their most complex and critical business and regulatory issues. With five core national practice groups — Business, Labor and Employment, Intellectual Property, Litigation, and Tax — the firm has more than 970 lawyers located in 14 offices coast to coast. BakerHostetler is widely regarded as having one of the country’s top 10 tax practices, a nationally recognized litigation practice, an award-winning data privacy practice and an industry-leading business practice. The firm is also recognized internationally for its groundbreaking work recovering more than $13 billion in the Madoff Recovery Initiative, representing the SIPA Trustee for the liquidation of Bernard L. Madoff Investment Securities LLC. Visit bakerlaw.com
The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) recently announced a $750,000 fine and resolution agreement, including a Corrective Action Plan (CAP), for Cancer Care Group, P.C...
United States Food, Drugs, Healthcare, Life Sciences

The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) recently announced a $750,000 fine and resolution agreement, including a Corrective Action Plan (CAP), for Cancer Care Group, P.C. (CCG), a private organization made up of 18 physicians. The CCG investigation and resolution demonstrates that OCR does not exempt even modest-size physician groups from scrutiny.

The investigation originated from an incident in 2012 in which a CCG employee's laptop bag was stolen from the employee's car. The laptop bag contained unencrypted computer server back-up media with the electronic protected health information (ePHI) of around 55,000 patients.

OCR emphasized CCG's seven years of non-compliance with the Security Rule in the resolution agreement and CAP. Since the April 21, 2005, Security Rule compliance date, the OCR noted that CCG had not conducted an enterprise-wide risk analysis or established and implemented written policies regulating the removal of hardware and electronic media containing ePHI into, out of and within facilities, notwithstanding that CCG employees regularly transported ePHI. Additionally, the OCR found that CCG had not encrypted the backup tapes nor properly safeguarded the unencrypted backup tapes that were stolen from the employee's car.

The CAP emphasizes general HIPAA compliance and the importance of conducting the security risk analyses at regular or as-needed intervals, implementing responsive risk management plans, and updating training materials and policies and procedures. This emphasis is consistent with our experience in working with healthcare clients on OCR investigations and are proving to be the most important and fundamental compliance tools a covered entity should have.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More