OCR hits two entities with $2M fine for encrpytion failures
The Department of Health and Human Services Office of Civil Rights (OCR) has fined Concentra Health Services $1,725,220 to resolve violations of HIPAA Privacy and Security laws related to the theft of laptops containing protected patient data.
“Covered entities and business associates must understand that mobile device security is their obligation,” Susan McAndrew, deputy director of health information privacy at OCR, said in a statement. “Our message to these organizations is simple: encryption is your best defense against these incidents.”
When learning that a laptop containing unencrypted patient data had been stolen from the Springfield Missouri Physical Therapy center, a Concentra facility, the OCR conducted a compliance review. While Concentra had recognized the vulnerability and began the encryption of its laptops, desktop computers, medical equipment, tablets and other devices on which electronic protected health information could be found, OCR found these efforts inconsistent and incomplete.
A second incident involving a small Arkansas payer, QCA Health Plan, also involved the theft of an unencrypted laptop containing patient data. A review revealed the failure to comply with multiple HIPAA privacy and security rules, and QCA agreed to a settlement of $250,000. As part of the resolution, QCA is required to undertake an updated risk analysis and retrain its workforce.
The OCR offers six HIPAA educational programs, including one on mobile device security. Each program is free and available with continuing medical education credits for physicians and continuing education credits for healthcare professionals.