$2 million HIPAA settlement highlights mobile device risks facing healthcare providers

Share this article:

Laptops and other mobile devices containing personal health information have been stolen from long-term care ombudsman programs and other healthcare organizations, including from Concentra Health Services and QCA Health Plan Inc. Now, Concentra and QCA have agreed to legal settlements totaling nearly $2 million, federal authorities announced Tuesday.

Concentra agreed to the larger settlement, $1.7 million. The Texas-based healthcare provider reported in December 2011 that an unencrypted laptop had been stolen from one of its physical therapy centers, according to the settlement resolution document. A subsequent federal investigation alleged that Concentra dragged its feet even after identifying data security risks, according to the Health and Human Services Office for Civil Rights, which oversees health information privacy matters. Specifically, Concentra determined in 2008 that only 434 of nearly 600 company laptops were encrypted, but it did not begin encrypting all devices until 2012, the settlement document states.

Concentra does not admit to any wrongdoing by entering into the settlement, according to the resolution. In addition to the financial penalty, the company has agreed to a corrective action plan to beef up data security.

In a separate case, a thief stole an unencrypted laptop from the car of a QCA employee in 2012, leading to a federal investigation and a $250,000 settlement. The Arkansas-based health insurance company does not admit any wrongdoing, and it also has agreed to a corrective action plan, the Office for Civil Rights announced.

In January, a flash drive and laptop were stolen from an employee of the Michigan Long-Term Care Ombudsman's Office. The information on the laptop was encrypted, but the information on the flash drive was not, according to the state's Department of Community Health. The HIPAA breach might have compromised nearly 2,600 people's information.

The Health Insurance Portability and Accountability Act does not specifically mandate that providers encrypt personal health information, but they are required to pursue alternative safeguards if they do not encrypt, according to the Bureau of National Affairs. 

Share this article:

More in News

Post-acute standardized assessment bill passes House

Post-acute standardized assessment bill passes House

A bill that would standardize data in post-acute settings moved closer to reality after a House of Representatives voice vote in its favor Tuesday. The House's approval of the Improving ...

ACA hasn't created more part-time workers, analysis says

Despite fears to the contrary, there's no evidence that the Affordable Care Act increased part-time work before 2014, according to a new analysis.

Also in the News for Sept. 18, 2014

Arkansas' charity protection statute could protect nursing home in lawsuit... Institute of Medicine releases end-of-life report ...Congressional roundtable group says Medicare telehealth rules need to be updated