The U.S. Department of Health and Human Services (“HHS”) recently announced resolution agreements (“RAs”) with two covered entities, a health care provider and an insurer, under HIPAA’s privacy and security rules (the “Rules”), requiring combined payments of approximately $2 million to settle potential violations of the Rules.  Both RAs stemmed from investigations conducted by HHS as a result of breach notifications the covered entities submitted to report the thefts of laptop computers containing unencrypted electronic protected health information (“ePHI”).  Apart from the settlement payments, the RAs impose two-year corrective action plans, including the performance of risk analysis, implementation of risk management plans and training, and periodic follow up activities with HHS. Although failure to encrypt ePHI is not a per se violation of the Rules, the HHS news release regarding the RAs underscores HHS’ view that unencrypted laptops and other mobile devices pose significant risks to the security of ePHI, and “encryption is [a covered entity’s] best defense against these incidents.”

A copy of the health care provider’s resolution agreement is available here.

A copy of the insurer’s resolution agreement is available here.

A copy of the HHS news release is available here.