Stolen Laptops Lead to HIPAA Settlements

Two entities have paid the U.S. Department of Health & Human Services Office for Civil Rights (OCR) $1,975,220 to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules thanks to unencrypted laptop computers..

OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center.  OCR’s investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk.  While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information. Concentra has agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence their remediation of these findings.

OCR received a breach notice in February 2012 from QCA Health Plan, Inc. of Arkansas reporting that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from a workforce member’s car.  While QCA encrypted their devices following discovery of the breach, OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012.  QCA agreed to a $250,000 monetary settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its ePHI.  QCA is also required to retrain its workforce and document its ongoing compliance efforts.

“Covered entities and business associates must understand that mobile device security is their obligation,” said Susan McAndrew, OCR’s deputy director of health information privacy. “Our message to these organizations is simple: encryption is your best defense against these incidents.”

dec-clearance-sale

 

Brad Ericson

Brad Ericson

Publisher at AAPC
Brad Ericson, MPC, CPC, COSC, has been publisher for more than nine years. Before AAPC he was at Optum for 13 years and at Aetna Health Plans before that. He has been writing and publishing about healthcare since 1979. He received his Bachelor's in Journalism from Idaho State University and his Master's of Professional Communication degree from Westminster College of Salt Lake City.
Brad Ericson

About Has 197 Posts

Brad Ericson, MPC, CPC, COSC, has been publisher for more than nine years. Before AAPC he was at Optum for 13 years and at Aetna Health Plans before that. He has been writing and publishing about healthcare since 1979. He received his Bachelor's in Journalism from Idaho State University and his Master's of Professional Communication degree from Westminster College of Salt Lake City.

Leave a Reply

Your email address will not be published. Required fields are marked *