On April 22 2014 the Department of Health and Human Services Office for Civil Rights (OCR) announced that Concentra Health Services Inc (CHS) and QCA Health Plan Inc have agreed to pay a total of $1,975,220, collectively, to resolve potential violations of the Health Insurance Portability and Accountability Act Privacy and Security Rules stemming from the theft of unencrypted laptops. Specifically, CHS has agreed to pay $1,725,220 and QCA has agreed to pay $250,000 to the OCR to settle potential act violations, and both will adopt corrective action plans to prove their remediation of the potential violations. The clear message from thesettlements is that the OCR expects covered entities to encrypt mobile devices that store electronic protected health information.

The OCR opened its investigation into CHS's Health Insurance Portability and Accountability Act compliance after the company filed a breach report in December 2011, stating that an unencrypted laptop was stolen from one of its facilities in Springfield, Missouri. The OCR's investigation revealed that while CHS had recognised in previous risk analyses that the lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information was a critical risk, its efforts to encrypt these devices were incomplete and inconsistent, leaving protected health information vulnerable throughout the organisation. In addition, the OCR's investigation found that CHS had insufficient security management processes in place to safeguard patient information.

Similarly, the OCR opened an investigation of QCA's compliance after it filed a breach report in February 2012, reporting that an unencrypted laptop containing the electronic protected health information of 148 individuals was stolen from an employee's car. Although QCA began encrypting its devices after discovery of the breach, the OCR's investigation revealed that from the compliance date for the security rule (ie, April 2005) until June 2012, it had failed to:

  • conduct a risk assessment;
  • implement physical safeguards and other security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 CFR § 164.306; and
  • implement policies and procedures to prevent, detect, contain and correct security violations.

These enforcement actions highlight the vulnerability of unencrypted laptops and other mobile devices, and serve as a reminder of the significant risks that they pose to the security of patient information. In response to these two incidents, Susan McAndrew, the OCR's deputy director of health information privacy, emphasised that "Covered entities and business associates must understand that mobile device security is their obligation", and that the OCR's "message to these organizations is simple: encryption is your best defense against these incidents".

Encryption is technically not required in all cases under the Health Insurance Portability and Accountability Act Security Rule. Instead, it is an "addressable" standard under the act, which means that it is required only where reasonable and appropriate based on a risk assessment. Nevertheless, these enforcement actions raise the question of whether the OCR views encryption of mobile devices containing protected health information as a de facto requirement. The QCA enforcement action also underscores the importance of conducting an accurate and thorough Health Insurance Portability and Accountability Act risk assessment, which is a comprehensive inventory and categorisation of the risks to protected health information (eg, computer viruses, theft) and the implementation of a risk management plan to address those risks (eg, virus protection software, encryption). A documented risk assessment is one of the key documents that the OCR requests in an investigation involving possible non-compliance with the security rule. OCR representatives have previously indicated that there is a direct connection between a covered entity's ability to produce this baseline assessment and the OCR's decision regarding whether to issue penalties for non-compliance. At the least, failure to produce this document substantially increases the likelihood that the OCR will seek to impose civil penalties where there is a failure to comply with the security rule. Finally, it is clear from the CHS settlement that conducting risk assessments is not enough to avoid penalties under the Health Insurance Portability and Accountability Act. Rather, the risks identified in the assessment must be addressed completely and consistently.

For further information on this topic please contact Anna Spencer at Sidley Austin LLP's Washington DC office by telephone (+1 202 736 8000), fax (+1 202 736 8711) or email (aspencer@sidley.com). Alternatively, please contact Meena Datta at Sidley Austin LLP's Chicago office by telephone (+1 312 853 7000), fax (+1 312 853 7036) or email (mdatta@sidley.com).