The U.S. Department of Health & Human Services Office for Civil Rights has fined two healthcare organizations for potential HIPAA violations resulting from unencrypted stolen laptops. The healthcare organizations received combined fines of nearly $2 million. That’s a fairly huge fine! The OCR is attempting to showcase the importance of mobile device security, however, many healthcare organizations don’t seem to understand how critical it is to secure their mobile devices.
Susan McAndrew, the OCR’s deputy director of health information privacy, explained “our message to these organizations is simple: encryption is your best defense against these incidents.” Does your healthcare organization encrypt all mobile devices? If not, your organization could suffer the same fate if a laptop is lost or stolen.
A HIPAA Breach Leads to More Than Just a Hefty Fine – Your Organization’s Reputation is At Risk!
The two settlements were levied against Concentra Health Services and QCA Health Plan, Inc. Concentra Health Services was fined $1,725,220 because an unencrypted laptop was stolen from the Springfield Missouri Physical Therapy Center, which is one of their many facilities. QCA Health Plan, Inc. was fined $250,000 because an unencrypted laptop was stolen from an employee’s car. The laptop contained personal health information for 148 patients.
While these two organizations are facing hefty fines, their reputations will also be severely damaged as a result of the HIPAA breaches. Keep in mind, your patients are expecting their personal health information to be confidential. And of course, they deserve confidentiality at all times. If you fail to maintain confidentiality, your patients will lose confidence in your organization.
Although Concentra Health Services conducted a few risk analyses documenting the lack of encryption, the organization failed to encrypt all laptops to protect personal health information for their patients. In fact, 163 out of 597 laptops were unencrypted.
QCA Health Plan, Inc. also failed to encrypt laptops, however, mobile devices were encrypted after the breach. The OCR’s investigation discovered that QCA Health Plan, Inc. wasn’t in compliance with multiple HIPAA requirements. In addition to the $250,000 fine, QCA Health Plan, Inc. is required to do the following:
- Submit an updated risk analysis and risk management plan.
- Retrain the entire workforce.
- Document ongoing compliance efforts.
$2 Million in Penalties Could’ve Easily Been Avoided – Pay Attention to Details for HIPAA Compliance!
During the past year, there have been far too many OCR settlements that could’ve easily been avoided. For example, WellPoint’s $1.7 million fine for allowing PHI to be disclosed online or Affinity Health Plan’s $1.2 million fine for leaving PHI on a photocopier after disposing the equipment.
As a healthcare organization, IT security is absolutely mandatory to achieve HIPAA compliance. Always pay attention to details, such as encryption and proper equipment disposal. Once you’ve conducted a risk analysis, implement appropriate safeguards to mitigate risks.
To learn more about HIPAA compliance, give us a call or send us an email. We can help you implement appropriate safeguards to mitigate risks and prevent HIPAA breaches.