On April 22, 2014, the US Department of Health and Human Services Office of Civil Rights (OCR) announced settlements of close to $2 million with two health care entities for violations of the Privacy and Security Rules promulgated under the Heath Insurance Portability and Accountability Act (collectively HIPAA) related to the theft of unencrypted laptops.
The two companies, Concentra Health Services and QCA Health Plan, Inc., were the subject of separate OCR investigations initiated following reports of a Breach of Electronic Protected Health Information (EPHI) by the entities to OCR, as required under HIPAA. Concentra, a subsidiary of Humana, had an unencrypted laptop stolen from its Springfield Missouri Physical Therapy Center. According to OCR, Concentra failed to adequately encrypt a variety of electronic devices containing EPHI and ultimately agreed to pay OCR $1.725 million and adopt a corrective action plan to ensure that sufficient protections were put into place to safeguard EPHI.
The OCR also fined Arkansas-based QCA $250,000 after an unencrypted laptop containing the EPHI of close to 150 people was stolen from an employee’s car in February of 2012. QCA took steps to encrypt its devices post-breach, and as part of a Resolution Agreement and settlement with OCR, further agreed to provide OCR with a risk management plan including additional risk-limiting security measures to secure QCA’s EPHI.
OCR has substantially increased its HIPAA enforcement efforts in recent years. The Health Information Technology for Economic and Clinical Health Act (HITECH), as implemented by the Omnibus HIPAA Rule finalized on January 25, 2013 (available at 78 Fed. Reg. 5566), increased the potential civil monetary penalties that OCR could impose on Covered Entities — health care providers, health plans, and health care clearinghouses — and their Business Associates — entities that perform services for or on behalf of Covered Entities involving the use or disclosure of Protected Health Information — for violating HIPAA. Depending on the degree of knowledge that the Covered Entity or Business Associate had, or should have had, regarding the violation, penalties for each violation range between $100 (did not know or have reason to know) and $50,000 (willful neglect without correction), with a maximum penalty for a given year of $1,500,000 for any violations of the same requirement or prohibition. The Director of the OCR, Leon Rodriguez, was quoted as saying the Omnibus Rule strengthened OCR’s ability to “vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates.”
In addition, OCR has launched a long-awaited auditing program pursuant to which it audits Covered Entities for HIPAA compliance. Furthermore, in the past few years OCR has negotiated settlements and mandated corrective actions for Covered Entities and Business Associates related to alleged HIPAA violations in Resolution Agreements. To date, OCR has entered into 19 Resolution Agreements, many of which were initially triggered by a Breach report. OCR makes these Resolution Agreements available to the public here; such Agreements include corrective actions that can be construed as “best practices” for protecting Protected Health Information, including EPHI, and Covered Entities and Business Associates can use such Resolution Agreements to benchmark their current practices against such “best practices.”
It is critical that Covered Entities and their Business Associates adopt and consistently apply encryption methods to safeguard EPHI, particularly on portable electronic devices as loss or theft of portable electronic devices has become a source for a myriad of HIPAA Breaches and been a frequent factor in OCR enforcement actions and published Resolution Agreements