New HIPAA Settlements Show OCR’s Focus on Encryption

Last week, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) reached settlements with two separate entities for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  Specifically, Concentra Health Services (“Concentra”) agreed to pay $1,725,220 following the theft of an unencrypted laptop and the discovery of generally insufficient security management.  Additionally, QCA Health Plan, Inc. (“QCA”) agreed to pay $250,000 following the theft of an unencrypted laptop and the discovery of general non-compliance with HIPAA.  Both Concentra and QCA also entered into Corrective Action Plans with OCR.

Concentra is a Texas based company with medical facilities in 38 states.  The company submitted a security breach report to OCR in December 2011 upon discovering the theft of an unencrypted laptop from a physical therapy center in Springfield, Missouri.  OCR then investigated Concentra and learned that, although Concentra had identified lack of encryption as a “critical risk” as part of its risk analysis, it had not taken adequate corrective action measures to address that risk.  OCR also found that Concentra had insufficient security management processes in place to safeguard Protected Health Information (“PHI”).

QCA is a health insurance company based in Little Rock, Arkansas.  In February 2012, QCA submitted a security breach report to OCR upon discovering the theft of an unencrypted laptop from an employee’s car.  Following the breach, QCA encrypted devices within the company containing PHI.  However, upon investigation, OCR found that QCA was not fully HIPAA compliant.

Encryption is not required by HIPAA, but if a Covered Entity or Business Associate opts not to encrypt PHI either at rest or in transmission, the entity must document its rationale and adopt alternative safeguards that achieve a similar level of protection.  Additionally, only the improper use or disclosure of unencrypted PHI constitutes a security breach for purposes of HIPAA.  These settlements illustrate potential consequences of not encrypting PHI, particularly on portable devices.  Susan McAndrew of OCR stated with regard to these settlements: “Our message to these organizations is simple: encryption is your best defense to these incidents.”

Both breaches have been added to Cooley’s “Select HIPAA Privacy and Security Enforcement Actions Tracker” that may be accessed on the right side of this page or under the “Resources” tab above.

Leave a comment

Filed under Cooley Trackers, Health Information Privacy, Health IT, HIPAA, HITECH Act, Privacy and Security, Uncategorized

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s