Local: (805)-371-3680 | Toll Free: (800) 240-CHIV
Source: Health Data Management (Online)
The HHS Office for Civil Rights has levied monetary fines and corrective action plans against a provider organization and a health insurer for violations of the HIPAA privacy and security rules.
OCR fined provider organization Concentra Health Services $1,725,220, and fined Arkansas insurer QCA Health Plan Inc. $250,000, with both organizations signing resolution agreements to adopt a corrective action plan for HIPAA compliance. Both organizations demonstrated long-time non-compliance with HIPAA, according to OCR, which has now taken this level of action against at least 20 organizations.
In an announcement titled, “Stolen Laptops Lead to Important HIPAA Settlements,” OCR noted, “These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices.” Susan McAndrew, deputy director of health information privacy, hammered home the message a third time: “Covered entities and business associates must understand that mobile device security is their obligation. Our message to these organizations is simple: encryption is your best defense against these incidents.”
Concentra, a subsidiary of Humana Inc., operates more than 300 medical centers offering occupational medicine, urgent care, physical therapy and wellness services, as well as about 245 worksite clinics. The company had an unencrypted laptop stolen form a physical therapy center in Springfield, Mo., on Nov. 30, 2011, with protected health information on 870 individuals. OCR in an investigation found that Concentra failed to remediate an identified lack of encryption or to document why encryption was not reasonable and implement an alternative measure from October 27, 2008 until June 22, 2012.
Ironically, October 27, 2008 was the date of the organization’s last report on an encryption project–with 434 of 597 laptops having been encrypted–until June 22, 2012, when a complete inventory assessment was finished and action restarted to encrypt all unencrypted devices, according to the resolution agreement with OCR. Among other provisions under the agreement, Concentra will submit a series of reports updating its progress to encrypt laptops, desktops, medical equipment, tablets and other storage devices.
Asked for comment on the resolution agreement, a Concentra spokesperson issued the following statement to Health Data Management: “Since self-reporting a stolen company laptop in 2011, Concentra has worked closely with the U.S. Department of Health and Human Services Office for Civil Rights to ensure confidentiality of protected health information. We received no indication that any information on the laptop was accessed or used inappropriately. Concentra remains focused on serving the health and well-being needs of our employers and patients with the highest integrity and utmost respect.”
OCR’s enforcement action against QCA Health Plan is the second time the agency has lowered the boom on an organization for a breach affecting less than 500 individuals, demonstrating the agency’s willingness to enforce HIPAA even if a breach is not considered to be major.
QCA Health Plan reported in February 2012 the theft of a laptop from an employee’s car, with the computer holding protected information on 148 individuals. While the company encrypted devices following the theft, pervasive disregard of HIPAA security rule requirements from the April 2005 compliance date until June of 2012 necessitated a higher level of enforcement, according to OCR. Under the resolution agreement, the insurer must implement updated risk analysis and risk management plans, retrain the workforce and document ongoing HIPAA compliance.
Resolution agreements for both companies are available here.
For more information, contact Chivaroli & Associates.
