2017 ended on a not-so-high note in the HIPAA world.
21st Century Oncology, a provider of cancer care services and radiation oncology, has agreed to pay $2.3 million to HHS’ Office for Civil Rights to settle HIPAA violations.
The Fort Myers, Florida-based organization operates 179 treatment centers, 143 of which are in the United States. The other 36 centers are in Latin America.
The settlement comes after issues began in 2015. Two times that year, the FBI informed 21CO that patient information was obtained illegally by an unauthorized third party. The agency had patient files that were purchased by an FBI informant.
After an internal investigation, the organization discovered the perpetrator may have accessed its network SQL database as early as October 3, 2015. As it turns out, that unauthorized access impacted 2,213,597 of 21 Century Oncology’s patients, including their names, Social Security numbers, insurance information, diagnoses, treatment and physicians’ names.
An investigation by OCR also unveiled that 21CO didn’t conduct an accurate assessment of potential risks, failed to implement proper security measures and disclosed PHI to third party vendors without a business associate agreement.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
In addition to paying the hefty fine, 21st Century Oncology has to implement a corrective action plan. As part of it, the organization has to complete a risk analysis and risk management plan, reevaluate its policies, educate its workforce and provide OCR with all of its maintained business associate agreements.
Via email, 21st Century Oncology sent the following statement:
The company fully cooperated with the government in resolving these historical matters and has no further comments.
21CO has been in quite a bit of hot water recently.
In May, it filed for Chapter 11 bankruptcy. The HIPAA settlement was approved by the bankruptcy court.
It also recently agreed to pay the Department of Justice $26 million to settle False Claims Act allegations.
2017 — particularly the first half of it — was full of HIPAA settlements.
Notably, Hollywood, Florida-based Memorial Healthcare System paid a $5.5 million settlement after it reported the PHI of 115,143 people had been disclosed to office staff. Children’s Medical Center of Dallas also paid $3.2 million for failing to comply with HIPAA due to two data breaches in 2010 and 2013.
Here’s to hoping 2018 will be a year with fewer breaches, and thereby less HIPAA news.
Photo: Meriel Jane Waissman, Getty Images
