April 24, 2014

Yep, you read correctly!  $1,975,220 Fine for 2 Stolen Laptops!  The U.S. Department of Health and Human Services reported on Tuesday that two entities are paying a total of $1,975,220 because laptops owned by their respective companies were stolen.  Press Release is Here.  

Based on the facts provided in the Press Release, it appears Concentra Health Services self-reported pursuant to its breach notification policy that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center.  In its review, the Office for Civil Rights uncovered that Concentra had previously recognized in multiple risk analyses that "a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk."  Concentra had not completed its encryption effort at the time the laptop was stolen, "leaving patient PHI vulnerable throughout the organization." Concentra has agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence their remediation of these findings.  

Similarly, QCA Health Plan, Inc. of Arkansas reported to OCR that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from a workforce member’s car.  OCR found that QCA "failed to comply with multiple requirements of the HIPAA Privacy and Security Rules; one of such requirement is maintaining a security policy.  QCA agreed to a $250,000 monetary settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its ePHI.  QCA is also required to retrain its workforce and document its ongoing compliance efforts."

The recent trend in HIPAA enforcement actions is fining and holding responsible entities with disregard of applicable laws and procedures.  The best way to protect yourself and your practice from exposure is to operate transparently with proper policies and procedures - in previous emails we have discussed what that means as an employer - for instance, establish protocols for proper patient interaction and safekeeping of records, maintain an updated privacy policy, receive patient consent prior to release.

Receive a call from OCR?  Do not call back without your counsel having prepped you and on the line. 

 
 

Recent Webinars -


I-STOP Implementation - Common Q&As

 

 

Healthcare Newsletter, Provided by: Jennifer Kirschenbaum, Esq.

516 747-6700 x. 302, Jennifer@Kirschenbaumesq.com

Kirschenbaum & Kirschenbaum, P.C.