It is the same old song, BUT this time there are additional lessons to be learned from the two covered entities identified below that experienced stolen laptops.
The first thing to note, as many of you know, is that encryption is NOT required by the HIPAA Security Rule. It is what is called an "Addressable" Implementation Specification. The second thing to note is that because it is Addressable won't keep you from getting whacked for failing to encrypt.
OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center. OCR's investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk. While steps were taken to begin encryption, Concentra's efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR's investigation further found Concentra had insufficient security management processes in place to safeguard patient information. Concentra has agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence their remediation of these findings.
The moral of the story is that if you identifiy something as a best practice then you can bet that it is going to be "reasonable and appropriate" for you to implement it. Here Concentra knew of the risk and failed to act on it. No bueno.
It didn't matter in the least that encryption is an "Addressable" implementation specification. I have said this often, if you want to prevent major fines there are two mission critical things you need to do: 1) encrypt ALL PHI; 2) don't store PHI on mobile devices (laptops, phones, tablets, etc.).
OCR received a breach notice in February 2012 from QCA Health Plan, Inc. of Arkansas reporting that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from a workforce member's car. While QCA encrypted their devices following discovery of the breach, OCR's investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012. QCA agreed to a $250,000 monetary settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its ePHI. QCA is also required to retrain its workforce and document its ongoing compliance efforts.
Here QCA had a relatively small breach, not even enough to get them on the "Wall of Shame." However that didn't stop HHS from investigating and finding other violations. You can expect to be audited after you experience a breach, even a small one.
This article discusses a HITECH Act compliance ticking time bomb known as "Accounting of Disclosures" of PHI and that we prefer to call "Accounting for Disclosures" of PHI or "A4D" for short. Specifically, this article focuses on the "As Is" state of A4D as embodied in Privacy Rule section 164.528 and the implications of HITECH Act section 13405(c) on HHS' proposed A4D rule. HHS' proposed rule has been hotly debated and is long past due in its final form.
This webinar will review the "As Is" state of "Accounting for Disclosures" and how the HITECH Act modified it. It will also review the implications of HHS' Proposed Accounting Rule, which has been widely debated.