In the latest in a string of recent notable HIPAA settlements, Concentra Health Services and QCA Health Plan, Inc. have agreed to pay the U.S. Department of Health and Human Services (HHS) $1,725,220 and $250,000, respectively, "to resolve potential violations" of HIPAA’s Privacy and Security Rules. The settlements are described in an April 22 press release by HHS.
HHS’s Office for Civil Rights (OCR) opened an investigation of Concentra after receiving a report that an unencrypted laptop computer had been stolen from its physical therapy center in Springfield, Missouri. OCR found that although Concentra’s risk analyses had determined that a lack of encryption on its electronic devices made patients’ electronic protected health information (ePHI) vulnerable to a data breach, Concentra took "incomplete and inconsistent" steps to remedy the problem. The investigation also found that Concentra had "insufficient security management processes in place to safeguard patient information," according to the press release. In addition to the substantial monetary settlement, Concentra must now adopt a corrective action plan to remediate the deficiencies.
QCA Health Plan, the second-largest Arkansas-based managed care insurer, reported to OCR in February 2012 that an unencrypted laptop containing ePHI had been stolen from an employee’s car. OCR’s investigation determined that QCA had failed to comply with multiple requirements of HIPAA’s Privacy and Security Rules. In addition to its monetary settlement, QCA must also perform an updated risk analysis, provide HHS with a risk management plan that includes specific security measures to better safeguard its ePHI, and retrain its workforce.
Any healthcare providers that have not yet updated their HIPAA policies and procedures since the release of the Omnibus Final Rule in January 2013, or have not performed a recent risk analysis, should do so without delay, as it appears that the "new HHS offensive" predicted here is indeed well underway.