e-mail Print Share

Stolen laptops lead to HIPAA settlements

June 02, 2014

By Kelly Soderlund

Two health care entities paid settlements to the federal government after possibly violating the Health Insurance Portability and Accountability Act when unencrypted laptops were stolen.

An unencrypted laptop was stolen from one of Concentra Health Services' facilities, the Springfield Missouri Physical Therapy Center, resulting in a $1,725,220 fine. QCA Health Plan Inc., of Arkansas, reported that an unencrypted laptop was stolen from a workforce member's car. The company agreed to a $250,000 settlement.

"These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices," according to a U.S. Department of Health and Human Services Office for Civil Rights news release.

OCR's investigation into Concentra revealed the health care provider had recognized in previous risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information was a critical risk. While steps were taken to encrypt the devices, Concentra's efforts were incomplete and inconsistent over time, leaving patient protected health information vulnerable.

The investigation also found that Concentra had insufficient security management processes in place to safeguard patient information. In addition to the settlement, Concentra agreed to adopt a corrective action plan.

In Arkansas, the stolen unencrypted laptop from a workforce member's car contained the electronic protected health information of 148 people. QCA encrypted their devices following the breach but OCR's investigation found that the company failed to comply with multiple requirements of the HIPAA Privacy and Security Rules.

Along with the monetary settlement, QCA is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its electronic protected health information. The health plan must also retrain its workforce and document its ongoing compliance efforts.

The resolution agreements for both providers are available at hhs.gov/ocr/privacy/hipaa/enforcement/examples/stolenlaptops-agreements.html.

OCR has six educational programs on compliance with various aspects of the HIPAA Privacy and Security Rules for health care providers. They're each available with free continuing education credits for health care professionals, with one module focusing specifically on mobile device security, at hhs.gov/ocr/privacy/hipaa/understanding/training.

The ADA Complete HIPAA Compliance Kit (J598) has tools to help dentists design and implement a comprehensive HIPAA compliance program. The kit includes two products: The ADA Practical Guide to HIPAA Compliance: Privacy and Security Manual and The ADA Practical Guide to HIPAA Training CD-ROM. It's available to members for $300 and $450 retail. Visit adacatalog.org to purchase.