Local: (805)-371-3680 | Toll Free: (800) 240-CHIV
Facebook
Twitter
LinkedIn
YouTube
Chivaroli Insurance Services
  • INSURANCE COVERAGE
    • Healthcare Professional Liability
    • Directors’ & Officers’ Liability
    • Commercial Property
    • Managed Care / Billing / Miscellaneous
    • Employment Practices Liability
    • Difference in Conditions
    • Regulatory Proceedings Errors & Omissions
    • Fiduciary Responsibility
    • Property Terrorism
    • Commercial General Liability
    • Commercial Crime
    • Commercial Automobile
    • Stop Loss Coverage
    • Representations & Warranties
    • Business Owners Package
    • Security & Privacy (Cyber Liability)
    • Workers Compensation
    • Home / Auto / Valuables / Umbrella
  • OTHER SERVICES
    • Credentialing Requests
    • Consulting Services
    • Alternatives
    • Risk Management
    • Wholesale Brokerage
  • RESOURCES
    • Healthcare Resources
    • Insurance Resources
    • Terms & Definitions
  • NEWS
  • ABOUT
  • CONTACT

Stolen Laptops Lead to $2 Million in HHS Fines

May 1, 2014Chivaroli and Associates Insurance ServicesArticle Archives

Source: Health Data Management (Online)

The HHS Office for Civil Rights has levied monetary fines and corrective action plans against a provider organization and a health insurer for violations of the HIPAA privacy and security rules.

OCR fined provider organization Concentra Health Services $1,725,220, and fined Arkansas insurer QCA Health Plan Inc. $250,000, with both organizations signing resolution agreements to adopt a corrective action plan for HIPAA compliance. Both organizations demonstrated long-time non-compliance with HIPAA, according to OCR, which has now taken this level of action against at least 20 organizations.

In an announcement titled, “Stolen Laptops Lead to Important HIPAA Settlements,” OCR noted, “These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices.” Susan McAndrew, deputy director of health information privacy, hammered home the message a third time: “Covered entities and business associates must understand that mobile device security is their obligation. Our message to these organizations is simple: encryption is your best defense against these incidents.”

Concentra, a subsidiary of Humana Inc., operates more than 300 medical centers offering occupational medicine, urgent care, physical therapy and wellness services, as well as about 245 worksite clinics. The company had an unencrypted laptop stolen form a physical therapy center in Springfield, Mo., on Nov. 30, 2011, with protected health information on 870 individuals. OCR in an investigation found that Concentra failed to remediate an identified lack of encryption or to document why encryption was not reasonable and implement an alternative measure from October 27, 2008 until June 22, 2012.

Ironically, October 27, 2008 was the date of the organization’s last report on an encryption project–with 434 of 597 laptops having been encrypted–until June 22, 2012, when a complete inventory assessment was finished and action restarted to encrypt all unencrypted devices, according to the resolution agreement with OCR. Among other provisions under the agreement, Concentra will submit a series of reports updating its progress to encrypt laptops, desktops, medical equipment, tablets and other storage devices.

Asked for comment on the resolution agreement, a Concentra spokesperson issued the following statement to Health Data Management: “Since self-reporting a stolen company laptop in 2011, Concentra has worked closely with the U.S. Department of Health and Human Services Office for Civil Rights to ensure confidentiality of protected health information. We received no indication that any information on the laptop was accessed or used inappropriately. Concentra remains focused on serving the health and well-being needs of our employers and patients with the highest integrity and utmost respect.”

OCR’s enforcement action against QCA Health Plan is the second time the agency has lowered the boom on an organization for a breach affecting less than 500 individuals, demonstrating the agency’s willingness to enforce HIPAA even if a breach is not considered to be major.

QCA Health Plan reported in February 2012 the theft of a laptop from an employee’s car, with the computer holding protected information on 148 individuals. While the company encrypted devices following the theft, pervasive disregard of HIPAA security rule requirements from the April 2005 compliance date until June of 2012 necessitated a higher level of enforcement, according to OCR. Under the resolution agreement, the insurer must implement updated risk analysis and risk management plans, retrain the workforce and document ongoing HIPAA compliance.

Resolution agreements for both companies are available here.

For more information, contact Chivaroli & Associates.

Tags: HHS fines, resolution agreements
Chivaroli and Associates Insurance Services
Chivaroli & Associates Insurance Services is a full-service brokerage and consulting firm that specializes in the custom design and placement of property and casualty insurance and alternative risk funding solutions for healthcare organizations.
Previous post UPMC data breach could be part of a national scheme Next post Medical malpractice measure to be on Nov. 4 ballot

Sign up for News Updates

* = required field

Categories

  • Article Archives
  • General Article
  • Private
  • Uncategorized

Archives

  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • November 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • August 2019
  • July 2019
  • June 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • December 2017
  • November 2017
  • October 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • April 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014

Chivaroli and Associates Insurance Services is a full-service brokerage firm specializing in the custom-design and placement of insurance and alternative risk funding solutions for your healthcare organization.

Facebook
Twitter
LinkedIn
YouTube

Contact Us Today

Address:
200 North Westlake Blvd., Suite 101
Westlake Village, CA 91362
Phone:
805-371-3680
E-mail:
mail@chivarolitr.wpengine.com

Resources

Health Care
Insurance
Terms & Definitions
News
About

Policies

Cookie Policy
Disclaimer

Recent News

  • Hospital ‘Black Boxes’ Look to Aid Operating Rooms
  • Passwords Remain a Top Cybersecurity Weakness
  • Lawmakers Seek New Limits to Travel Nurse Costs
  • Experts Predict Healthcare M&A Will Accelerate in 2023
© 2023 All rights reserved. Powered By Insurance Agency Website by Stratosphere