OCR issued an update regarding two important HIPAA settlements involving theft of unencrypted laptops. The first involved Concentra Health Systems report of a breach that an unencrypted laptop was stolen from the Springfield Missouri Physical Therapy Center. After concluding that Concentra had previously recognized its lack of encryption in multiple risk analyses, its efforts to protect patient PHI remained vulnerable due to incomplete and inconsistent encryption. As a result, Concentra agreed to pay OCR $1,725,220 to settle the violations and will be implementing a corrective action plan to remediate the findings.
A second settlement resulted from a breach in February 2012 from QCA Health Plan, Inc. of Arkansas reporting the theft of an unencrypted laptop from a car containing ePHI of 148 individuals. While QCA encrypted its devices after discovering the breach, it paid a $250,000 settlement and is required to provide HHS with an updated risk analysis and risk management plan as well as train its workforce and document its ongoing compliance efforts. You can find a copy of the HHR Press Release here and copies of the Resolution Agreements here.
Health care providers need to understand the importance of encrypting their devices including laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI).
By Denise Bloch