In September, 2015, OCR and HHS issued a press release announcing a Resolution Agreement with the Cancer Care Group, P.C., which included entry into the agreement, the adoption of a robust compliance plan, and the payment of a $750,000 penalty. The settlement arose out of an incident involving the theft of an employee laptop containing unencrypted PHI.

Providers and practitioners generally understand that HIPAA doesn’t require a guarantee of absolute privacy and security, but it absolutely requires good faith efforts to protect PHI. OCR emphasized that the most significant aspect of this situation was that CCG was a widespread non-compliance with the HIPAA security rule, because it had not conducted an enterprise risk analysis and it did not have written policies regarding hardware and removing hardware and electronic media containing PHI from its facilities, even though it was aware or should have been aware that this was a widespread practice.

As a reminder, please be aware that HHS and the Office of the National Coordinator for Health Information Technology (ONC) has published a security risk assessment tool.