Georgia's Trusted Healthcare
& Medical Provider Attorneys

Need Proof As To Why You Need To Conduct HIPAA Risk Assessments? Read On

HIPAAAn employee’s stolen laptop with unencrypted files led to a HIPAA investigation and ultimately a $750,000 settlement

The Department of Health and Human Services (HHS) recently issued a press release announcing a settlement with a 13-physician radiation oncology practice related to HIPAA violations. Cancer Care Group, P.C. settled allegations of HIPAA noncompliance for an amount of $750,000. One of the major factors that led HHS to conclude that Cancer Care was in widespread non-compliance with the HIPAA Security Rule was the practice’s failure to conduct a proper risk analysis.

HHS investigated the practice because of a HIPAA breach that occurred in 2013. The breach occurred when a laptop bad was stolen from an employee’s car. The laptop contained unencrypted files which included patient Protected Health Information (PHI) such as names, addresses, birth dates, Social Security numbers, and clinical information.

HHS notes that if Cancer Care had conducted an enterprise-wide risk analysis, they could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI and adopted policies and procedures to reduce such risk. HHS Office of Civil Rights Director, Jocelyn Samuels emphasizes that “organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information.”

HHS also notes that Cancer Care should have had a comprehensive device and media control policy in place. Failure to have a policy that outlined employee responsibilities when removing devices containing ePHI from the facility contributed to the breach.

This settlement is another reminder that health care practices should not ignore their obligation to conduct periodic comprehensive risk assessments. Failure to do so might put practice patient information at risk of breach and could be costly for the practice if it is investigated by HHS.

The full HHS Press Release is available here, and the Cancer Care Settlement Agreement is available here.

Please contact Danielle Hildebrand at or (678) 325-3872 if you have questions about conducting a risk assessment for your practice.