Failure to Encrypt Costs Two Entities $2 Million

The message from the U.S. Health and Human Services Office of Civil Rights is loud and clear in its announcement of a $1,725,220 payment by provider Concentra Health Services to resolve potential violations of HIPAA Privacy and Security laws related to the theft of laptops containing protected patient data.

“Covered entities and business associates must understand that mobile device security is their obligation,” said Susan McAndrew, OCR’s deputy director of health information privacy, in a press release. “Our message to these organizations is simple: encryption is your best defense against these incidents.”

Upon receiving a report that a laptop containing unencrypted patient data had been stolen from the Springfield Missouri Physical Therapy center, a Concentra facility, the OCR opened a compliance review in which it was discovered that Concentra had recognized the vulnerability and had begun encryption of laptops, desktop computers, medical equipment, tablets and other devices on which electronic protected health information could be found. The results of that effort, however, were found to be inconsistent and incomplete throughout the organization.

The second incident involved a small Arkansas payor, QCA Health Plan, which also reported the theft of an unencrypted laptop containing patient data. A review revealed the failure to comply with multiple HIPAA privacy and security rules, and QCA agreed to a settlement of $250,000. As part of the resolution, QCA is required to undertake an updated risk analysis and retrain its workforce.

The OCR offers six educational programs—including one on mobile device security—for healthcare providers on HIPAA Privacy and Security Rules compliance. Each program is free and available with Continuing Medical Education credits for physicians and Continuing Education credits for healthcare professionals.