July 3, 2020

Volume X, Number 185

July 03, 2020

Subscribe to Latest Legal News and Analysis

July 02, 2020

Subscribe to Latest Legal News and Analysis

July 01, 2020

Subscribe to Latest Legal News and Analysis

Two HIPAA (Health Insurance Portability and Accountability Act) Settlements Follow Stolen Laptops

Recently, HHS Office of Civil Rights (OCR) announced that it has entered into settlement agreements with two entities following enforcement actions, both arising from stolen laptops that were not encrypted in accordance with the Security Rule. 

According to HHS, an unencrypted laptop was stolen from a physical therapy center in Springfield, Missouri.  The center was part of a larger health system, Concentra Health Services.  Through conducting required HIPAA risk analyses, Concentra had previously recognized that the lack of encryption on its devices posed a security risk.  However, HHS found that Concentra’s efforts to address this risk were “incomplete and inconsistent over time.”  Concentra has agreed to pay over $1.7 million to settle potential violations, as well as to submit a corrective action plan.  This significant monetary penalty suggests HHS will not look favorably upon violations of the Security Rule that the covered entity has documented but not taken reasonable efforts to correct.

QCA Health Plan, Inc., an Arkansas Health Plan, also reported a breach to HHS based on a stolen unencrypted laptop. In QCA’s case, the laptop was taken from an employee’s car. HHS found that QCA had failed to comply with multiple requirements of HIPAA including failing to implement required safeguards in accordance with the Security Rule. QCA agreed pay $250,000 and update its risk analysis to address vulnerabilities to protected health information.

These enforcement actions are part of increased efforts by OCR to conduct enforcement activities on the HIPAA Security Rule. While both incidents were in response to breaches reported by the entities, as required by HIPAA’s breach notification rule, OCR has recently faced criticism that its enforcement actions should include more proactive investigations into whether covered entities and business associates are in compliance with the Security Rule. We expect OCR to step up enforcement actions in the coming months, including through conducting audits of covered entities and business associates.

In the meantime, covered entities and business associates should take measures to ensure that they have adequate procedures in place, particularly encryption of all computers, laptops, and mobile devices, to protect the integrity of electronic protected health information.

© 2020 Covington & Burling LLPNational Law Review, Volume IV, Number 119


About this Author

Dena Feldman, healthcare attorney, Covington

Dena Feldman helps clients from across the health care industry navigate a range of complex regulatory and policy issues.

Ms. Feldman has particular expertise on health privacy issues arising under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Clinical and Economic Health (“HITECH”) Act, and state medical privacy laws. Ms. Feldman also regularly counsels clients on the federal rules and policies governing Medicare and Medicaid, including the new mandates of the Affordable Care Act.