Recently, HHS Office of Civil Rights (OCR) announced that it has entered into settlement agreements with two entities following enforcement actions, both arising from stolen laptops that were not encrypted in accordance with the Security Rule. 

According to HHS, an unencrypted laptop was stolen from a physical therapy center in Springfield, Missouri.  The center was part of a larger health system, Concentra Health Services.  Through conducting required HIPAA risk analyses, Concentra had previously recognized that the lack of encryption on its devices posed a security risk.  However, HHS found that Concentra’s efforts to address this risk were “incomplete and inconsistent over time.”  Concentra has agreed to pay over $1.7 million to settle potential violations, as well as to submit a corrective action plan.  This significant monetary penalty suggests HHS will not look favorably upon violations of the Security Rule that the covered entity has documented but not taken reasonable efforts to correct.

QCA Health Plan, Inc., an Arkansas Health Plan, also reported a breach to HHS based on a stolen unencrypted laptop. In QCA’s case, the laptop was taken from an employee’s car. HHS found that QCA had failed to comply with multiple requirements of HIPAA including failing to implement required safeguards in accordance with the Security Rule. QCA agreed pay $250,000 and update its risk analysis to address vulnerabilities to protected health information.

These enforcement actions are part of increased efforts by OCR to conduct enforcement activities on the HIPAA Security Rule. While both incidents were in response to breaches reported by the entities, as required by HIPAA’s breach notification rule, OCR has recently faced criticism that its enforcement actions should include more proactive investigations into whether covered entities and business associates are in compliance with the Security Rule. We expect OCR to step up enforcement actions in the coming months, including through conducting audits of covered entities and business associates.

In the meantime, covered entities and business associates should take measures to ensure that they have adequate procedures in place, particularly encryption of all computers, laptops, and mobile devices, to protect the integrity of electronic protected health information.