Two HIPAA covered entities ‒ Concentra Health Services and QCA Health Plan Inc. ‒ have agreed to pay nearly $2 million between them to settle charges that they violated the HIPAA Privacy and Security Rules by failing to adequately secure the electronic protected health information (e-PHI) of their customers on the companies’ mobile devices.  As is normally the case, the U.S. Department of Health and Human Services Office for Civil Rights launched its investigations after the companies notified it of their respective breaches.  And, once again, the central problem was the entities’ failure to encrypt e-PHI on laptops.