The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) levied $1,975,220 in fines on two entities for HIPAA violations. Both entities had breaches related to lost laptops that were not encrypted to protect the patient information.
Concentra Health Services (Concentra) was handed down a $1,725,220 for a stolen laptop that was not encrypted. The amount of patient records were not disclosed. The OCR Resolution Agreement states:
Concentra failed to adequately remediate and manage its identified lack of encryption or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption, if reasonable and appropriate, from October 27, 2008, until June 22, 2012 (date on which a complete inventory assessment was completed and Concentra immediately took action to begin encrypting all unencrypted devices) (see 45 C.F.R. § 164.312(a)(2)(iv)).
Concentra did not sufficiently implement policies and procedures to prevent, detect, contain, and correct security violations under the security management process standard when it failed to adequately execute risk management measures to reduce its identified lack of encryption to a reasonable and appropriate level from October 27, 2008, (date of Concentra’s last project report indicating that 434 out of 597 laptops were encrypted) until June 22, 2012 (date on which a complete inventory assessment was completed and Concentra immediately took action to begin encrypting all unencrypted devices) (see 45 C.F.R. § 164.308(a)(1)(i)).
OCR basically said that Concentra knew about the risk to patient information but failed to implement encryption to lower the risk. This is a clear case when just doing a Security Risk Assessment is NOT enough. An organization has to implement additional security to lower the risk to patient information.
148 Stolen Records
The second entity, QCA Health Plan, Inc., of Arkansas was handed down a smaller fine or $250,000 resulting in a breach of an unencrypted laptop from an employee’s car. What is interesting in this case is that the stolen laptop only contained 148 patient records. The fine of $250,000 breaks down to about $1,689 per record!
The take away here is if you have laptops, USB drives and even smartphones with patient information on them, you should implement encryption as soon as possible if not sooner! OCR is making a clear statement that failing to encrypt laptops, which results in a breach of patient information, will be treated with substantial penalties. Even the smallest of entities could have 148 patient records on a laptop, USB drive or backup tape.