Un­en­crypted-lap­top thefts at cen­ter of re­cent HIPAA set­tle­ments

Modern Healthcare - - REGIONAL NEWS - —Joseph Conn

Con­cen­tra Health Ser­vices, Ad­di­son, Texas, a sub­sidiary of Hu­mana and a provider of oc­cu­pa­tional medicine and other health ser­vices, has agreed to pay more than $1.7 mil­lion in a federal Health In­sur­ance Porta­bil­ity and Ac­count­abil­ity Act pri­vacy and se­cu­rity rule set­tle­ment, HHS’ Of­fice for Civil Rights an­nounced.

In ad­di­tion, QCA Health Plan of Arkansas in Lit­tle Rock agreed to pay $250,000 in a sim­i­lar set­tle­ment, the civil rights of­fice re­ported in a news re­lease.

Both cases are linked to thefts of lap­top com­put­ers that lacked data-pro­tect­ing en­cryp­tion, ac­cord­ing to the agency, which has en­force­ment author­ity over HIPAA’s pri­vacy and se­cu­rity rules.

The civil rights of­fice launched its in­ves­ti­ga­tion of Con­cen­tra af­ter re­ceiv­ing a re­port of a breach in­ci­dent at its Spring­field, Mo., phys­i­cal ther­apy cen­ter, ac­cord­ing to the state­ment.

The “in­ves­ti­ga­tion re­vealed that Con­cen­tra had pre­vi­ously rec­og­nized in mul­ti­ple risk analy­ses that a lack of en­cryp­tion on its lap­tops, desk­top com­put­ers, med­i­cal equip­ment, tablets and other de­vices con­tain­ing elec­tronic pro­tected health in­for­ma­tion was a crit­i­cal risk,” the Of­fice for Civil Rights said. “While steps were taken to be­gin en­cryp­tion, Con­cen­tra’s ef­forts were in­com­plete and in­con­sis­tent over time, leav­ing pa­tient PHI (pro­tected health in­for­ma­tion) vul­ner­a­ble through­out the or­ga­ni­za­tion. OCR’s in­ves­ti­ga­tion fur­ther found Con­cen­tra had in­suf­fi­cient se­cu­rity-man­age­ment pro­cesses in place to safe­guard pa­tient in­for­ma­tion.”

Con­cen­tra agreed to pay $1.7 mil­lion to set­tle po­ten­tial se­cu­rity vi­o­la­tions and to adopt a cor­rec­tive ac­tion plan, the agency said.

The QCA in­ves­ti­ga­tion be­gan af­ter a Fe­bru­ary 2012 re­port of a se­cu­rity breach in­volv­ing the med­i­cal records of 148 in­di­vid­u­als on an un­en­crypted lap­top stolen from an em­ployee’s car. It re­vealed that QCA “failed to com­ply with mul­ti­ple re­quire­ments of the HIPAA pri­vacy and se­cu­rity rules,” the federal agency said. In ad­di­tion to the set­tle­ment, QCA “is re­quired to pro­vide HHS with an up­dated risk anal­y­sis and cor­re­spond­ing risk-man­age­ment plan that in­cludes spe­cific se­cu­rity mea­sures to re­duce the risks to and vul­ner­a­bil­i­ties of its elec­tronic pro­tected health in­for­ma­tion,” the civil rights of­fice said.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.