The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) settled for the collective amount of $1,975,220 with Concentra Health Services (Concentra) and QCA Health Plan, Inc. (QCA). The settlements stem from OCR investigations in 2011 and 2012 related to each of the companies reporting a single stolen laptop; Concentra also had a laptop stolen in 2009.

In its press release, HHS stated that after further investigating Concentra it found that Concentra was aware prior to the most recent laptop theft that not all of its laptops, desktop computers, medical equipment, tablets and other devices that contained ePHI were encrypted. But despite Concentra’s discoveries as a result of risk analyses that it had conducted, it failed to remedy the critical risks and did not encrypt all of the devices. OCR also found that Concentra had insufficient security management processes. OCR’s investigation of QCA revealed that in addition to the unencrypted laptop, QCA failed to comply with numerous HIPAA privacy and security requirements for several years.

Susan McAndrew, OCR’s Deputy Director of Health Information Privacy, reiterated the significance of encryption and the obligations of covered entities and business associates to adequately secure mobile devices when she stated that OCR’s message to covered entities and business associates is simple: “encryption is your best defense against these incidents.” Ms. McAndrew’s statement is significant and a shift from the view that although security is an obligation, encryption is not required under the HIPAA Security Rule. In light of these two settlements and the Deputy Director’s commentary it is evident that OCR views encryption as an essential security safeguard for laptops, desktop computers, medical equipment, tablets and other mobile devices. In light of these two settlements and the Deputy Director’s commentary it is evident that OCR views encryption as an essential security safeguard for laptops, desktop computers, medical equipment, tablets and other mobile devices.

Concentra has agreed to pay HHS a monetary settlement of $1,725,220 and QCA has agreed to pay $250,000. Both entities have also agreed to each undertake a corrective action plan (CAP),  which CAPs include risk analyses, development of risk management plans, policy and procedure revisions, staff training and certification of staff training. Concentra’s CAP contains more onerous requirements, including the continued submission of additional documents, reports and encryption status updates to HHS. Concentra’s CAP may be more extensive than QCA’s because it already had a laptop that contained ePHI stolen in 2009 and because it failed to remedy the encryption issue it discovered during the risk analyses it performed prior to the second laptop being stolen. OCR also noted that QCA did encrypt its devices after the laptop was stolen and it discovered the breach.

For more information about the settlements and the CAPs, see the Concentra Resolution Agreement and the QCA Resolution Agreement.

Practice Tip: Audit your encryption policies and practices for all mobile devices to adequately secure your company’s mobile devices.