OCR to Covered Entities and Business Associates: Encryption is Your Best Defense

May 21, 2014

While employees of covered entities and business associates regularly use laptops, tablets and other mobile devices to access, store and transmit electronic protected health information (PHI), many of these entities are not adopting appropriate privacy and security protocols to protect this information. Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, covered entities and business associates have a duty to safeguard the privacy and security of their patients’ PHI. However, unencrypted electronic devices leave PHI vulnerable to unauthorized access and disclosure. As a result, stolen electronic devices with unencrypted PHI are one of the leading causes of breaches and resulting settlement agreements with the U.S. Department of Health and Human Services Office for Civil Rights (OCR).

On April 22, 2014, OCR announced that Concentra Health Services (Concentra) and QCA Health Plan, Inc. (QCA) entered into resolution agreements with OCR for $1,725,220 and $250,000, respectively, to resolve potential HIPAA violations.

Following Concentra’s submission of a breach report indicating that a laptop had been stolen from one of its facilities, OCR initiated a compliance review of Concentra. OCR determined in its review that Concentra recognized that lack of encryption of electronic devices posed a security risk to patient data but did not adequately alleviate such risk when it left certain of its laptops unencrypted. As part of its resolution agreement with OCR, Concentra entered into a corrective action plan where it agreed to provide OCR with an updated risk assessment management plan, updates on the encryption status of its devices and equipment, and proof that Concentra completed security awareness training of its staff.

Similarly, following receipt of a breach report from QCA indicating that an unencrypted laptop had been stolen from an employee’s car, OCR opened an investigation and found that QCA had failed to comply with multiple HIPAA requirements dating back to the compliance deadline for the HIPAA Security Rule in April 2005. As part of its resolution agreement with OCR, QCA entered into a corrective action plan where it agreed to provide OCR with an updated risk assessment and risk management plan. Further, QCA will need to retrain its workforce on HIPAA compliance.

Significantly, both the Concentra and QCA settlements appear to reflect some degree of compliance with the Security Rule prior to the imposition of a monetary settlement. Covered entities and business associates should take note of these settlements and recognize that partial compliance with HIPAA is insufficient for the avoidance of monetary penalties. Covered entities and business associates should ensure that they are in full compliance with the requirements of HIPAA, including conducting a full Security Rule risk assessment and ensuring any identified risks to PHI are appropriately mitigated. Further, to the extent laptops are used by workforce members, OCR has stated, “[…] encryption is your best defense against these incidents.”

If you have any questions regarding HIPAA compliance or the above settlements, please do not hesitate to contact one of the authors.

Subscribe
Back to top