Last week, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) reached settlements with two separate entities for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Specifically, Concentra Health Services (“Concentra”) agreed to pay $1,725,220 following the theft of an unencrypted laptop and the discovery of generally insufficient security management. Additionally, QCA Health Plan, Inc. (“QCA”) agreed to pay $250,000 following the theft of an unencrypted laptop and the discovery of general non-compliance with HIPAA. Both Concentra and QCA also entered into Corrective Action Plans with OCR.
Concentra is a Texas based company with medical facilities in 38 states. The company submitted a security breach report to OCR in December 2011 upon discovering the theft of an unencrypted laptop from a physical therapy center in Springfield, Missouri. OCR then investigated Concentra and learned that, although Concentra had identified lack of encryption as a “critical risk” as part of its risk analysis, it had not taken adequate corrective action measures to address that risk. OCR also found that Concentra had insufficient security management processes in place to safeguard Protected Health Information (“PHI”).
QCA is a health insurance company based in Little Rock, Arkansas. In February 2012, QCA submitted a security breach report to OCR upon discovering the theft of an unencrypted laptop from an employee’s car. Following the breach, QCA encrypted devices within the company containing PHI. However, upon investigation, OCR found that QCA was not fully HIPAA compliant.
Encryption is not required by HIPAA, but if a Covered Entity or Business Associate opts not to encrypt PHI either at rest or in transmission, the entity must document its rationale and adopt alternative safeguards that achieve a similar level of protection. Additionally, only the improper use or disclosure of unencrypted PHI constitutes a security breach for purposes of HIPAA. These settlements illustrate potential consequences of not encrypting PHI, particularly on portable devices. Susan McAndrew of OCR stated with regard to these settlements: “Our message to these organizations is simple: encryption is your best defense to these incidents.”
Both breaches have been added to Cooley’s “Select HIPAA Privacy and Security Enforcement Actions Tracker” that may be accessed on the right side of this page or under the “Resources” tab above.