In April 2014, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) continued to emphasize the importance of encryption in maintaining the confidentiality and security of protected health information (“PHI”), especially in addressing and mitigating the significant risk to PHI posed by unencrypted laptops and other mobile devices.

On April 22, 2014, OCR announced that it had resolved potential HIPAA violations arising out of the theft of unencrypted laptops with two different covered entities, Concentra Health Services (“Concentra”) and QCA Health Plan, Inc. of Arkansas (“QCA”). The collective settlement with both covered entities totaled $1,975,220.00.

Concentra agreed to pay OCR $1,725,220 to settle potential HIPAA violations, and will adopt a corrective action plan to evidence the remediation of OCR’s findings.  OCR’s investigation of Concentra began following its receipt of a breach report that an unencrypted laptop was stolen from its Springfield, Missouri facility.  OCR’s investigation revealed that Concentra had previously recognized, in multiple risk analyses, that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing ePHI was a critical risk.  OCR found that while  Concentra took steps to begin encryption, its efforts were incomplete and inconsistent which left patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard PHI.

Similarly, OCR received a breach notice in February 2012 from QCA reporting that an unencrypted laptop containing the ePHI of 148 individuals was stolen from a workforce member’s car.  While QCA encrypted their devices following discovery of the breach, OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012.  QCA agreed to pay a $250,000 monetary settlement, and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its ePHI.  QCA is also required to re-train its workforce and document its ongoing compliance efforts.

Susan McAndrew, OCR’s deputy director of health information privacy, stated that “Covered entities and business associates must understand that mobile device security is their obligation.  Our message to these organizations is simple:  encryption is your best defense against these incidents.”

The Resolution Agreements can be found on the OCR website at:  http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/stolenlaptops-agreements.html.