[ Wednesday, September 02, 2015 ]
Laptop Theft Reveals Other HIPAA Problems; Net Result? $750,000 Fine. Cancer Care Group, a radiation oncology practice in Indiana, had a laptop stolen with data relating to 55,000 patients. It was not encrypted. But more importantly, OCR's investigation showed no initial risk analysis and no policies on removing data on devices. CCG was not
required to forbid the taking of data out on a laptop, nor was it
required to only do so with encryption in place. But is was
required to do a risk analysis, and if it had done so, probably would've decided to take those steps. But the fact that it didn't need to do so no longer matters because there's no risk analysis in the first place.
If you are a covered entity and have a breach,
OCR WILL ASK FOR YOUR ORIGINAL RISK ANALYSIS, as well as any updates. If you never did one, if the one you did was a little sloppy, if it was a long time ago, if you're a lot smart now, if your business has changed . . . you need to do one. If you don't, and if you have a breach, even if you might be innocent of major mistakes causing the breach, you're likely to be fined.
You have been warned.
Jeff [2:29 PM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template