Saturday, November 21, 2015

HIPAA Audit - Learn From Recent $750,000 Settlement Between Medical Practice and HHS and OCR on Deficiencies in HIPAA Compliance After Data Breach

In our practice, we conduct HIPPA and HiTECH compliance audits for health care clients and business associates (companies that service health care companies). We also represent them when a HIPAA complaint has been filed or reported. 

We do this as a law firm since our communications are protected by the attorney-client privilege unlike regular consultants. 

Most small and mid-sized practices are not fully compliant and have not had audits. We go in, evaluate all existing policies and documents, create or revise a HIPAA compliance plan and employee handbook, document updated employee training, and peform a HIPAA HITECH initial audit which is confidential. 

We work on a flat fee that gets spread out over the year and includes phone calls, emails and meetings to avoid high hourly charges and encourages efficiencies. We help make sure that HIPAA is integrated into the culture.

Some companies or practices have staff to implement changes and other times we perform them. During our attorney-client privileged meetings, we have a master list and then implement a master action plan that will culminate in a final HIPAA audit to be documented. We bring in less expensive consultants as needed to save money for the company or practice as needed. 

Why is it important these audits be documented? If there is a HIPAA complaint by a patient or a data breach reported to OIG or Office for Civil Rights (who handles HIPAA complaints) or to the State of Californa DHCS Officeof HIPAA Compliance, they conduct audits. If there is a breach but it is found that there was prior compliance, proper policies and procedures, documented training, and a documented audit in place - the fines and punishment will be far less. It also helps avoid civil lawsuits by patients for state privacy breaches (since HIPAA does not give a private right of action). 

Case Study HIPAA Settlement. Here is a case study you can learn from that involved Cancer Care Group, P.C.  It is a large radiation oncologist group with over 15 treatment centers and over 13 physicians serving hospitals and clinics in Indiana. 

On April 21, 2005 the HIPAA Security Rule went into place. While almost all practices and health care businesses have certain basic HIPAA notices in place with patients, this Rule required a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information (PHI). Hospitals and large companies have the in-house infrastructure but medium sized and smaller practices did not understand what needed to be implemented.

What was the breach of privacy information? There was no documentation that patient information was every used by a third party but there was a breach. On August 29, 2012, Cancer Care notified as required by law OCR about a breach of unsecured electronic protected health information (ePHI). A laptop bag was stolen from an employee’s car. 

The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care patients.

OCR went in and performed a HIPAA audit and found that from April 21, 2005 to the date of the laptop theft in August 2012 Cancer Care "failed to conduct an accurate and thorough assessment of potential risks to the vulnerabilities to the confidentiality and inegrity of protected" electronic PHI. In other words, it had never conducted an enterprise-wide risk analysis (audit) when the breach occurred in July 2012. 

There were no written policies in place even preventing an employee from taking a computer, unencrypted, with all the data and leaving it unsecured. It was also found this was common practice within the organization.

OCR’s subsequent investigation found that, prior to the breach, Cancer Care was in widespread non-compliance with the HIPAA Security Rule in numerous areas. 

OCR found that these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility.

HHS and OCR required Cancer Care, who had a sophisticated health care lawyer and team, to pay $750,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program. 


Cancer Care learned the hard ware. They reported the breach and their prior lack of compliance came to harm them. The settlement emphasizes the importance of risk analysis and device and media control policies and the importance of third party audit assessments. The electronic age has transformed patient information over the past ten (10) years.

Compliance and audits if done properly are cost effective and important to risk management. Do not be afraid of having an audit but ensure that if you are not compliant that it is done in a manner where attorney-client privileges can be used to protect your company and practice and get the right policies and procedures in place within a reasonable period of time.

Posted by Tracy Green, Esq.
Green and Associates
Office: 213-233-2260


DISCLAIMER: Green & Associates' articles and blog postings are prepared as a service to the public and are not intended to grant rights or impose obligations. Nothing in this website should be construed as legal advice. Green & Associates' articles and blog postings may contain references or links to statutes, regulations, or other policy materials. The information provided is only intended to be a general summary. It is not intended to take the place of either the written law or regulations. We encourage readers to review the specific statutes, regulations, and other interpretive materials for a full and accurate statement of their contents and contact their attorney for legal advice. The primary purpose of this website is not the commercial advertisement or promotion of a commercial product or service and this website is not an advertisement or solicitation. Anyone viewing this web site in a state where the web site fails to comply with all laws and ethical rules of that state, should disregard this web site.

The information provided on this website is for informational purposes only. It is not intended to create, and does not create, a lawyer-client relationship with Green & Associates, Attorneys at Law. Sending an e-mail to Tracy Green does not contractually obligate them to represent you as your lawyer, or create any type of client relationship. No attorney-client relationship will be formed absent a written engagement or retainer letter agreement signed by both Green & Associates and client and which specifies the scope of the engagement.

Please note that e-mail transmission is not secure unless it is encrypted. E-mail messages sent to Ms. Green should not include confidential or sensitive information.