Unencrypted Laptop Results in $1.7 Million HIPAA Settlement | Practical Law

Unencrypted Laptop Results in $1.7 Million HIPAA Settlement | Practical Law

The Department of Health and Human Services (HHS) has announced a settlement with a health care provider for potential violations of the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The provider will pay more than $1.7 million for not fully correcting the privacy and security issues it had previously identified. 

Unencrypted Laptop Results in $1.7 Million HIPAA Settlement

Practical Law Legal Update 5-566-0347 (Approx. 4 pages)

Unencrypted Laptop Results in $1.7 Million HIPAA Settlement

by Practical Law Employee Benefits & Executive Compensation
Published on 25 Apr 2014USA (National/Federal)
The Department of Health and Human Services (HHS) has announced a settlement with a health care provider for potential violations of the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The provider will pay more than $1.7 million for not fully correcting the privacy and security issues it had previously identified.
On April 22, 2014, HHS issued a resolution agreement and related press release announcing a settlement with a health care provider (Concentra Health Services), a HIPAA covered entity, for potential violations of the HIPAA privacy, security and breach notification rules. HHS began its investigation after the provider submitted a breach notification involving the theft of an unencrypted laptop from one of the provider's physical therapy facilities in November 2011 (see Practice Note, HIPAA Breach Notification Rules).
According to HHS, the provider's last security project report, conducted in October 2008, indicated that 434 of its 597 laptops were encrypted. In this and other risk analyses performed prior to the November 2011 theft, the provider recognized that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (PHI) represented a risk. However, the provider's subsequent efforts to encrypt and otherwise safeguard PHI were incomplete. After the incident, the provider:
  • Completed a full inventory assessment of its devices in June 2012.
  • Immediately began encrypting all unencrypted devices at that time.
HHS concluded that from October 2008 until June 2012, the provider failed to:
  • Adequately correct and manage its identified lack of encryption, or document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption.
  • Sufficiently implement policies and procedures to prevent, detect, contain and correct security violations under HIPAA's security rules, when it failed to adequately execute risk management measures to reduce its identified lack of encryption.

Resolution Agreement and Corrective Action Plan

Under the resolution agreement, the provider must:
  • Pay $1,725,220 to settle its potential HIPAA violations.
  • Adopt a corrective action plan (CAP).
The CAP, which has a term of two years, requires the provider to (among other things):
  • Periodically provide HHS:
    • a risk analysis of potential risks and vulnerabilities regarding its electronic PHI;
    • a risk management plan that explains its strategy for implementing security measures (including specific timelines for completion);
    • an encryption status update addressing the percentage of devices that are encrypted; and
    • documentation indicating that all workforce members have completed security awareness training.
  • Provide an implementation report and annual reports to HHS on its progress in meeting the CAP's obligations.
  • Comply with recordkeeping requirements.
Under a second HHS resolution agreement, also resulting from a HIPAA breach notification, a health plan will pay $250,000 to settle potential HIPAA violations involving the theft from a workforce member's car of an unencrypted laptop computer containing the electronic PHI of 148 individuals. Although the plan encrypted its devices after the breach was discovered, a subsequent HHS investigation revealed multiple violations of HIPAA's privacy and security rules (see Practice Notes, HIPAA Privacy Rule and HIPAA Security Rule).

Practical Impact

Under the final HIPAA regulations, an impermissible use or disclosure of unsecured PHI is presumed to require breach notification, unless the covered entity (or business associate) can demonstrate, through a risk assessment, a low probability that PHI has been compromised. As these reported settlements suggest, however, a covered entity that provides HIPAA breach notification should be prepared to face an HHS investigation of the covered entity's HIPAA compliance. Moreover, such an investigation will not necessarily be limited to the incident for which breach notice was provided, but may reach other aspects of the covered entity's HIPAA privacy and security compliance. Consistent with informal statements by HHS officials, these settlements also underscore the importance of encrypting devices, including portable laptops.