OCR hits two entities with $2M fine for encrpytion failures

The Department of Health and Human Services Office of Civil Rights (OCR) has fined Concentra Health Services $1,725,220 to resolve violations of HIPAA Privacy and Security laws related to the theft of laptops containing protected patient data.

“Covered entities and business associates must understand that mobile device security is their obligation,” Susan McAndrew,  deputy director of health information privacy at OCR, said in a statement. “Our message to these organizations is simple: encryption is your best defense against these incidents.”

When learning that a laptop containing unencrypted patient data had been stolen from the Springfield Missouri Physical Therapy center, a Concentra facility, the OCR conducted a compliance review. While Concentra had recognized the vulnerability and began the encryption of its laptops, desktop computers, medical equipment, tablets and other devices on which electronic protected health information could be found, OCR found these efforts inconsistent and incomplete.

A second incident involving a small Arkansas payer, QCA Health Plan, also involved the theft of an unencrypted laptop containing patient data. A review revealed the failure to comply with multiple HIPAA privacy and security rules, and QCA agreed to a settlement of $250,000. As part of the resolution, QCA is required to undertake an updated risk analysis and retrain its workforce.

The OCR offers six HIPAA educational programs, including one on mobile device security. Each program is free and available with continuing medical education credits for physicians and continuing education credits for healthcare professionals.

 

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.