OCR Announces HIPAA Settlements Related to Theft of Unencrypted Laptops: 4 Important Lessons to Take Away

Two HIPAA settlements were announced April 22, 2014 by the Department of Health and Human Services Office of Civil Rights (OCR).  The settlements for alleged violations of the HIPAA Privacy and Security Rules for Concentra Health Services and QCA Health Plan of Arkansas collectively totaled $1,975,220.

According to the OCR press release, the review of Concentra Health Services resulted from a breach report involving the theft of an unencrypted laptop from the company’s Springfield Missouri Physical Therapy Center.  OCR stated that its investigation revealed that Concentra recognized the lack of encryption on mobile devices as a “critical risk” in multiple risk assessments.

The OCR investigation of QCA Health Plan took place following a February 2012 breach notification related to the theft of an unencrypted laptop.  As a result of the investigation, OCR alleged that, even though QCA encrypted laptops after the breach incident, QCA “failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the HIPAA Security Rule in 2005 and ending in June 2012.”

Key lessons from these settlements and the information contained in the OCR’s press release are:

  1. Breach Notifications Can and Will Be Used to Launch an Investigation.  The investigations discussed in the OCR press release both originated from a self-reported breach as required by the HIPAA Breach Notification Rule which requires covered entities to report a breach of unsecured protected health information to OCR.  If the laptops had been encrypted pursuant to the guidance issued by OCR to render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable, the theft would not have resulted in a Breach of Unsecured Protected Health Information and would not have required the breach notification to OCR. 
  2. A HIPAA Security Risk Assessment can be used against a covered entity.  As discussed above, the OCR press release states that Concentra acknowledged on multiple occasions that unencrypted laptops posed a “critical risk”, yet was not consistently implementing encryption of mobile devices at the time of the breach.  Encryption is not a required implementation specification pursuant to the HIPAA Security Rule, but in this case the covered entity allegedly admitted in its risk assessment that unencrypted laptops posed a critical risk to the organization.  Covered entities and business associates who cannot immediately encrypt laptops should document the reasons why the addressable implementation specification is not reasonable and necessary for the organization at the current time and should document other measures that are being taken to protect information and prevent theft (such as physical security or workstation use policies).  If an issue is identified as a “critical risk” in the risk assessment then it should be addressed immediately.
  3. OCR Will Look Beyond the Timeframe of the Reported Breach in its Investigation.  The investigation of QCA resulted from a self-reported breach notification in February 2012, yet OCR looked at QCA’s compliance from the inception of the Security Rule.  Covered entities should take care to have documentation available demonstrating compliance with the HIPAA Security and Privacy Rule for at least six years and possibly even longer (note that although HIPAA records are required to be kept for 6 years pursuant to 45 CFR §164.105, OCR investigated compliance as far back as 2005 in this instance which would be 7 years from the date of 2012 breach notification.)
  4. OCR Expects Covered Entities and Business Associates to Encrypt Mobile Devices.  Although, as discussed above, encryption is not technically a required implementation specification according to the HIPAA Security Rule, OCR is sending a strong message to covered entities and business associates to encrypt mobile devices.  In the OCR Press Release, Susan McAndrew, OCR’s deputy director of health information privacy is quoted as stating “Our message to these organizations is simple:  encryption is your best defense against these incidents.”  As encryption of mobile devices becomes more affordable and easier to implement, it is less and less likely that there will be circumstances under which OCR would excuse the failure to encrypt mobile devices containing PHI.

Speak Your Mind