Doctor concerned with health care law

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Health Law Daily, April 23, 2014

HIPAA violations involving unencrypted laptops lead to $2 million in settlements

By Greg Hammond, JD

The HHS Office for Civil Rights (OCR) has received nearly $2 million in settlements from Concentra Health Services (Concentra) and QCA Health Plan, Inc. (QCA), resulting from the loss of unencrypted laptops from the companies’ facilities. The settlements were reached to resolve possible violations of the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191).

“Covered entities and business associates must understand that mobile device security is their obligation,” stated OCR Deputy Director Susan McAndrew in a press release. “Our message to these organizations is simple: encryption is your best defense against these incidents.”

Concentra. According to the OCR’s investigation, Concentra’s previous risk analyses discovered that a lack of encryption on the company’s laptops, computers, medical equipment, and other devices that contained electronic protected health information posed a serious risk. Although the company took action to begin using encryption, its efforts were not thorough and consistent. Consequently, Concentra agreed to pay over $1.7 million to the OCR, according to the company’s resolution agreement with HHS, after an unencrypted laptop was stolen from one of the company’s physical therapy centers. Additionally, Concentra has agreed to adopt a corrective action plan to remediate the OCR’s findings, which includes: (1) a risk analysis; (2) a risk management plan; (3) evidence demonstrating implementation of planned remediation actions; (4) encryption status updates; and (5) security awareness training.

QCA. The OCR also investigated QCA, after a report of an unencrypted laptop containing the electronic protected health information of 148 people was stolen from an employee’s car. The investigation concluded that although QCA encrypted its devices after the breach was discovered, the company failed to comply with HIPAA Privacy and Security Rules from 2005 through June 2012. The company’s resolution agreement with the OCR provided that QCA shall pay a $250,000 monetary settlement. The company was also required to adopt a corrective action plan, in which QCA must: (1) update the company’s security management process, which includes a risk analysis and risk management plan; (2) provide security awareness training to staff; and (3) report any future HIPAA privacy and security violations to HHS.

“These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices,” HHS stated in its press release.

MainStory: TopStory ComplianceNews HIPAANews HITNews

Health Law Daily

Introducing Wolters Kluwer Health Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.