By Christine Kern, contributing writer
OCR fines two health organizations almost $2 million after laptops stolen.
According to an HHS press release, The HHS Office for Civil Rights has levied monetary fines and corrective action plans against a provider organization and a health insurer for violations of the HIPAA privacy and security rules. These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices.
OCR fined provider organization Concentra Health Services $1,725,220 and Arkansas insurer QCA Health Plan Inc. $250,000, with both organizations signing resolution agreements to adopt a corrective action plan for HIPAA compliance. Both organizations demonstrated long-time non-compliance with HIPAA, according to OCR, which has now taken this level of action against at least 20 organizations.
Susan McAndrew, OCR’s deputy director of health information privacy, explained, “Covered entities and business associates must understand that mobile device security is their obligation. Our message to these organizations is simple: encryption is your best defense against these incidents.”
OCR received a breach report stating that an unencrypted laptop had been stolen from one of Concentra Health Services facilities, leading to the compliance review. The investigation revealed that Concentra had previously recognized security risks due to lack of encryption on its devices containing ePHI, and had begun to take steps to resolve those risks.
As HealthDataManagement reported, ironically, October 27, 2008 was the date of the organization’s last report on an encryption project – with 434 of 597 laptops having been encrypted – until June 22, 2012, when a complete inventory assessment was finished and action restarted to encrypt all unencrypted devices, according to the resolution agreement with OCR. Among other provisions under the agreement, Concentra will submit a series of reports updating its progress to encrypt laptops, desktops, medical equipment, tablets and other storage devices.
Concentra’s efforts at encryption were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization, and Concentra had insufficient security management processes in place to safeguard patient information
In response to the settlement, a Concentra spokesperson issued the following statement to Health Data Management: “Since self-reporting a stolen company laptop in 2011, Concentra has worked closely with the U.S. Department of Health and Human Services Office for Civil Rights to ensure confidentiality of protected health information. We received no indication that any information on the laptop was accessed or used inappropriately. Concentra remains focused on serving the health and well-being needs of our employers and patients with the highest integrity and utmost respect.”
The second settlement was reached QCA Health Plan, Inc. of Arkansas, who reported in February 2012 that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from a workforce member’s car. While QCA encrypted their devices following discovery of the breach, OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012.
OCR offers six HIPAA compliance educational programs for healthcare providers, each available with free Continuing Medical Education credits for physicians and Continuing Education credits for health care professionals, with one module focusing specifically on mobile device security. The Resolution Agreements can be found on the OCR website.