HIPAA Update – OCR Takes Unencrypted Laptops Seriously

Post 70 of 87

OCR issued an update regarding two important HIPAA settlements involving theft of unencrypted laptops. The first involved Concentra Health Systems report of a breach that an unencrypted laptop was stolen from the Springfield Missouri Physical Therapy Center. After concluding that Concentra had previously recognized its lack of encryption in multiple risk analyses, its efforts to protect patient PHI remained vulnerable due to incomplete and inconsistent encryption. As a result, Concentra agreed to pay OCR $1,725,220 to settle the violations and will be implementing a corrective action plan to remediate the findings.

A second settlement resulted from a breach in February 2012 from QCA Health Plan, Inc. of Arkansas reporting the theft of an unencrypted laptop from a car containing ePHI of 148 individuals. While QCA encrypted its devices after discovering the breach, it paid a $250,000 settlement and is required to provide HHS with an updated risk analysis and risk management plan as well as train its workforce and document its ongoing compliance efforts. You can find a copy of the HHR Press Release here and copies of the Resolution Agreements here.

Health care providers need to understand the  importance of encrypting their devices including laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI).

By Denise Bloch

Denise Bloch

Print Friendly

, , , , , , , , , , , , , , , , , , , , , , ,

MISSOURI

St. Louis  |  Clayton  |   Kansas City

ILLINOIS

Alton  |  Carbondale  |  Edwardsville  |  O'Fallon

The information on this website is for general information purposes only. Nothing on this site should be taken as legal advice for any individual case or situation.
This information is not intended to create, and receipt or viewing does not constitute, an attorney-client relationship. © 2014 Sandberg Phoenix & von Gontard P.C. All Rights Reserved.

Menu