To Encrypt or Not to Encrypt—A $2 Million Question with a Simple Answer, HHS Says
The Department of Health and Human Services (“HHS”) just announced a pair of settlements arising out of the theft of two laptops containing protected health information (“PHI”). Two entities, Concentra Health Services (“Concentra”) and QCA Health Plan, Inc. of Arkansas (“QCA”), have agreed to pay the HHS Office for Civil Rights (“OCR”) nearly $2 million to settle alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”). In announcing the settlements in a press release, the HHS message was clear: encrypt PHI on mobile devices or be prepared to shell out vast sums of money in HIPAA penalties.
The Concentra Settlement. Concentra notified HHS in 2011 that an unencrypted laptop containing PHI was stolen from its Springfield, Missouri physical therapy center. While investigating the incident, HHS found that Concentra had recognized in 2008 that it had only encrypted 434 out of 597 of its laptops, had begun to encrypt its devices, but failed to adequately complete the encryption process by 2012, when Concentra immediately began encrypting all unencrypted devices. Further, HHS found that Concentra did not have sufficient policies and procedures in place to protect individuals’ PHI. Concentra has agreed to pay $1,725,000 to OCR and has entered into a corrective action plan.
The QCA Settlement. QCA notified HHS in 2012 that an unencrypted laptop was stolen from an employee’s car. The laptop contained the PHI of 148 individuals. During its investigation, HHS found that QCA did not have sufficient policies and procedures in place to identify risks and safeguard PHI. Further, HHS found that QCA did not have physical safeguards for all workstations. QCA has agreed to pay $250,000 to OCR and has entered into a corrective action plan.
In the press release, HHS pointed to the six educational programs provided by OCR to health care providers regarding HIPAA compliance, seemingly an indicator that HHS thinks health care providers should be more proactive in understanding their obligations under and complying with HIPAA. Susan McAndrew, OCR’s deputy director of health information privacy, stated that “[c]overed entities and their business associates must understand that mobile device security is their obligation” and “[o]ur message to these organizations is simple: encryption is your best defense against these incidents.”
You can view the HHS press release here.
You can read the QCA Resolution Agreement here.
You can read the Concentra Resolution Agreement here.