2 Stolen Laptop Incidents Lead to PenaltiesRelatively Small Breaches Result in Hefty Fines
The Department of Health and Human Services has entered HIPAA settlements totaling nearly $2 million with two covered entities that reported relatively small breaches involving stolen unencrypted laptop computers.
The news is significant because the most common cause of major healthcare data breaches listed on the official HHS breach tally is lost or stolen unencrypted devices or media, with laptops frequently involved.
"Covered entities and business associates must understand that mobile device security is their obligation," said Susan McAndrew, deputy director of health information privacy at the HHS Office for Civil Rights, which enforces HIPAA. "Our message to these organizations is simple: Encryption is your best defense against these incidents."
An HHS statement also notes: "These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices."
The two entities, Concentra Health Services, a provider of urgent care services based in Louisville, KY, and QCA Health Plan Inc., an insurer based in Little Rock, Ark, have agreed to the settlements with the HHS Office for Civil Rights to resolve potential HIPAA privacy and security rule violations.
In its settlement, Concentra has agreed to pay OCR $1.72 million and will adopt a corrective action plan. Meanwhile, QCA Health Plan has agreed to a $250,000 monetary settlement and to correct deficiencies in its HIPAA compliance program, according to OCR.
Ramping up Enforcement
Some security and privacy experts say these latest settlements demonstrate that OCR is following through on its promise to ramp up HIPAA enforcement.
"I would expect to see these kinds of outcomes since OCR has stated that they are stepping up their enforcement actions," says security expert Brian Evans, principal consultant at Tom Walsh Consulting. "Penalties for noncompliance with the HIPAA Security Rule can have a positive influence on the tone, priorities and culture of an organization."
Kate Borten, founder and president of consulting firm The Marblehead Group, notes: "This is not surprising ... neither the fact that PHI [protected health information] continues to be breached through loss or theft of unencrypted portable devices nor the size of the resolution payment by Concentra of almost $2 million. However, since that dollar amount is similar to amounts paid when the breach rule was new, it could be argued that payments should be higher in 2014. And it appears that OCR needs the money to help fund a robust [HIPAA compliance] audit program."
OCR says it opened a compliance review of Concentra, a subsidiary of Humana, upon receiving a report on Dec. 28, 2011, that an unencrypted laptop was stolen on Nov. 30, 2011, from one of its facilities, the Springfield Missouri Physical Therapy Center. HHS' website listing major breaches shows that Concentra's 2011 breach affected 870 individuals.
OCR says its investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information was a critical risk.
While steps were taken to begin encryption, Concentra's efforts were incomplete and inconsistent over time leaving patient information vulnerable throughout the organization, OCR says.
The resolution agreement between OCR and the healthcare provider says: "Concentra did not sufficiently implement policies and procedures to prevent, detect, contain and correct security violations under the security management process standard when it failed to adequately execute risk management measures to reduce its identified lack of encryption to a reasonable and appropriate level from Oct. 27, 2008 - the date of Concentra's last project report indicating that 434 out of 597 laptops were encrypted - until June 22, 2012, the date on which a complete inventory assessment was completed and Concentra immediately took action to begin encrypting all unencrypted devices."
OCR's investigation found Concentra had insufficient security management processes in place to safeguard patient information, the agreement notes. Concentra has agreed to pay OCR to settle potential violations and will adopt a corrective action plan that includes implementing a risk management plan that explains Concentra's strategy for implementing security measures sufficient to reduce the risks and vulnerabilities identified.
In a statement provided to Information Security Media Group, Concentra says, "Since self-reporting a stolen company laptop in 2011, Concentra has worked closely with the HHS' OCR to ensure confidentiality of protected health information. We received no indication that any information on the laptop was accessed or used inappropriately."
QCA Health Plan Settlement
As for QCA Health Plan's case, a small breach opened up a HIPAA compliance investigation that led to the OCR resolution agreement. OCR says it received a breach notice in February 2012 from the health plan reporting that an unencrypted laptop computer containing the information on 148 individuals was stolen from a workforce member's car.
While QCA encrypted its devices following discovery of the breach, OCR's investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules over a span of several years. In addition to agreeing a $250,000 monetary settlement, QCA is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures. QCA is also required to retrain its workforce and document its ongoing compliance efforts.
In a statement provided to ISMG, the company says, "QCA is committed to the privacy and security of its members' personal information and has strengthened safeguards to enhance the protection of their information, including encrypting all company laptops and mobile devices."
QCA legal counsel Jennifer Smith tells ISMG that she believes the company's settlement with OCR is a signal that the agency will take HIPAA enforcement action against any covered entity or business associate for potential HIPAA violations of any size. QCA's settlement contains "the most punitive penalty" filed in a resolution agreement involving a potential breach impacting fewer than 200 individuals, she says.