International Society of Primerus Law Firms

Failure to Conduct an Appropriate HIPAA Risk Analysis Can Cost You!

By:  Anthony R. Eaton, Esq.
Wilke, Fleury, Hoffelt, Gould & Birney, LLP
Sacramento, CaliforniaWilke

A $750,000 settlement recently paid by a large physician practice group highlights how important it is for organizations to regularly conduct proper HIPAA risk assessments.

The Cancer Care Group (based in Indiana) allegedly failed to protect electronic patient data (“ePHI”) as required by the Health Insurance Portability and Accountability Act’s (“HIPAA”) Security Rule.  The Group’s compliance issues arose after an employee’s laptop bag containing unencrypted electronic patient data was reported stolen out of the employee’s car.  According to the resolution agreement between the Group and the Office of Civil Rights (“OCR”), the Group failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.  As a result, the Group did not implement appropriate and effective policies and procedures to govern the receipt and removal of computer hardware and electronic media containing ePHI into and out of the Group’s facility.  This failure lead to the improper disclosure of ePHI related to approximately 55,000 individuals and an agreement to pay $750,000 to resolve the OCR’s allegations.  The Group was also required to enter a three year Corrective Action Plan to come into compliance with HIPAA.

The takeaway for all organizations covered by HIPAA is that one of the most important aspects of an effective HIPAA compliance program is the implementation of regular risk assessments.  These assessments must include a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization or its business associates.  By conducting these assessments, organizations can uncover and prevent breaches such as those alleged against the Cancer Care Group by implementing appropriate security measures.  Such measures would certainly include ensuring that any electronic health information would not leave your facility unencrypted and sitting unattended in a parked car!

The Resolution Agreement can be found at:

For more information about Wilke, Fleury, Hoffelt, Gould & Birney, LLP, please visit the International Society of Primerus Law Firms.


The general information contained herein is intended for informational purposes only. It is not intended to be, and should not be construed as, legal advice or legal opinion on any specific facts or circumstances.

Find a Primerus Lawyer

Business Law News Consumer Law News Defense Law News International Business Law News

Primerus News Archive

  Select Month: Go

Find a Lawyer

Primerus Law Firms (A-Z) Primerus Lawyers (A-Z) Primerus Law Firms by Practice Area Primerus Law Firms by Location Primerus Law Firms by Language Map of Primerus Law Firms