[ Wednesday, September 02, 2015 ]


Laptop Theft Reveals Other HIPAA Problems; Net Result? $750,000 Fine.  Cancer Care Group, a radiation oncology practice in Indiana, had a laptop stolen with data relating to 55,000 patients.  It was not encrypted.  But more importantly, OCR's investigation showed no initial risk analysis and no policies on removing data on devices.  CCG was not required to forbid the taking of data out on a laptop, nor was it required to only do so with encryption in place.  But is was required to do a risk analysis, and if it had done so, probably would've decided to take those steps.  But the fact that it didn't need to do so no longer matters because there's no risk analysis in the first place.

If you are a covered entity and have a breach, OCR WILL ASK FOR YOUR ORIGINAL RISK ANALYSIS, as well as any updates.  If you never did one, if the one you did was a little sloppy, if it was a long time ago, if you're a lot smart now, if your business has changed . . . you need to do one.  If you don't, and if you have a breach, even if you might be innocent of major mistakes causing the breach, you're likely to be fined.

You have been warned.

Jeff [2:29 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template