Stolen Unencrypted Laptop Leads to Large HIPAA Settlement – Is Your Practice at Risk?

Two recent settlements imposed by the Office of Civil Rights (OCR) draw attention to the unacceptable risk to the security of patient information rendered by unencrypted devices, and the consequences that organizations, both large and small, may face resulting from a breach.   Susan McAndrew, Deputy Director of Health Information Privacy, stated it clearly for providers, “Our message to these organizations is simple: encryption is your best defense against these incidents.”

In the first case, Concentra Health Services has agreed to pay $1,725,220 to the OCR to settle potential violations resulting from the theft of an unencrypted laptop, according to the US Department of Health & Human Services (HHS). Although Concentra had taken steps to begin encrypting all devices, OCR found its efforts were “incomplete and inconsistent, over time leaving PHI [protected health information] vulnerable throughout the organization.”

Additionally, and perhaps more concerning to small physician practices is the OCR’s enforcement action against QCA Health Plan in Arkansas. While Concentra’s stolen laptop put the PHI of 870 patients at risk, the laptop stolen from a QCA employee’s car held only 148 individuals’ PHI. This Arkansas insurer was fined $250,000 as the OCR felt that QCA’s “pervasive disregard of HIPAA security rule requirements from the April 2005 compliance date” called for a higher level of enforcement.

This is the second time OCR has taken corrective action against an organization for a breach affecting less than 500 individuals and demonstrates its willingness to enforce HIPAA on any breach—big or small.

If your practice hasn’t started planning for device encryption, now is the time to start. The daily headlines evidence that it is no longer about protecting PHI if you experience a breach, but when. Take the time to protect your patients and your practice. Some steps to consider include:

Consider taking advantage of educational programs regarding HIPAA Privacy & Security Rules compliance. OCR offers programs with free Continuing Medical Education credits and includes a program specifically on mobile device security.