On Tuesday, April 22, 2014, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced that Concentra Health Services Inc. (“CHS”) and QCA Health Plan Inc. (“QCA”) have agreed to pay a total of $1,975,220, collectively, to resolve potential violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules stemming from the theft of unencrypted laptops. Specifically, CHS has agreed to pay $1,725,220, and QCA has agreed to pay $250,000, to OCR to settle potential HIPAA violations and will adopt corrective action plans to evidence their remediation of the potential violations. The clear message from both settlements is that OCR expects covered entities to encrypt mobile devices that store electronic Protected Health Information (“ePHI”).
OCR opened its investigation of CHS’ HIPAA compliance after the company filed a breach report in December 2011, stating that an unencrypted laptop was stolen from one of its facilities in Springfield, MO. OCR’s investigation revealed that, while CHS recognized in previous risk analyses that its lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information was a critical risk, its efforts to encrypt these devices were incomplete and inconsistent, leaving PHI vulnerable throughout the organization. In addition, OCR’s investigation found that CHS had insufficient security management processes in place to safeguard patient information.
Similarly, OCR opened an investigation of QCA’s compliance after it filed a breach report in February 2012, reporting that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from a workforce member’s car. Although QCA began encrypting its devices after discovery of the breach, OCR’s investigation revealed that since the compliance date of the Security Rule (i.e., April 2005) through June 2012, it had failed to conduct a risk assessment, implement physical safeguards and other security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 C.F.R. § 164.306, and implement policies and procedures to prevent, detect, contain, and correct security violations.
These enforcement actions highlight the vulnerability of unencrypted laptop computers and other mobile devices and serve as a reminder of the significant risks they pose to the security of patient information. In response to these two incidents, Susan McAndrew, OCR’s deputy director of health information privacy, emphasized that “Covered entities and business associates must understand that mobile device security is their obligation,” and that “[OCR’s] message to these organizations is simple: encryption is your best defense against these incidents.”
Encryption is technically not required in all cases under the HIPAA Security Rule. Instead, it is an “addressable” standard under HIPAA, which means that it is required only where reasonable and appropriate based on a risk assessment. Nevertheless, these enforcement actions raise the question of whether OCR views encryption of mobile devices containing PHI as a de facto requirement. The QCA enforcement action also underscores the importance of conducting an accurate and thorough HIPAA risk assessment, which is a comprehensive inventory and categorization of the risks to PHI (e.g., computer viruses, theft) and the implementation of a risk management plan to address those risks (e.g., virus protection software, encryption). A documented risk assessment is one of the key documents OCR requests in an investigation involving possible non-compliance with the Security Rule. OCR representatives have previously indicated that there is a direct connection between a covered entity’s ability to produce this baseline assessment and OCR’s decision regarding whether to issue penalties for non-compliance. At the very least, failure to produce this document substantially increases the likelihood that OCR will seek to impose civil penalties where there is a failure to comply with the Security Rule. Finally, it is clear from the CHS settlement that conducting risk assessments is not enough to avoid penalties under HIPAA. Rather, the risks identified in the assessment must be addressed completely and consistently.