Two entities have agreed to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for nearly $2 million. Concentra Health Services (Concentra) agreed to pay $1,725,220 to settle allegations that an unencrypted laptop was stolen from its Springfield, Missouri Physical Therapy Center facility. OCR’s investigations revealed that Concentra had previously recognized that its computers and other devices containing electronic protected health information (ePHI) were not properly encrypted, and that Concentra’s efforts to begin encryption were incomplete and inconsistent over time.
Separately, QCA Health Plan, Inc. of Arkansas agreed to pay $250,000 to settle allegations that an unencrypted laptop containing the ePHI of 148 individuals was stolen from a workforce member’s car. OCR’s investigations revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules from April 2005 through June 2012.
Department of Health and Human Services. “Stolen Laptops Lead to important HIPAA Settlements.” News Release. 22 Apr. 2014.