The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) just announced four new resolution agreements for potential violations under the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security rules.
Two actions involved unencrypted electronic protected health information (ePHI) for stolen laptops. The message from HHS was pretty clear: they strongly recommend encryption. While encryption is not technically required under HIPAA, the standard for encryption must be reviewed and documented by entities subject to HIPAA. As technology increases, it becomes harder and harder to show that a thoughtful review will not lead to any encryption, especially with mobile devices.
The other two resolution agreements involved a joint action between a hospital and university following a joint breach report from 2010. The hospital and university operated a shared data network administered together. An employee attempting to deactivate a server on the network resulted in the ePHI of patients being accessible to internet search engines. Links to the four resolution agreements are below.
Concentra Health Services agreed to a $1,725,220 settlement and will adopt a corrective action plan to further show compliance. This involved one stolen laptop from a therapy center in Missouri.
QCA Health Plan, Inc., of Arkansas, agreed to a $250,000 settlement and to correct deficiencies in its HIPAA compliance program. This involved the ePHI of 148 individuals, also from a stolen laptop from a car.
New York and Presbyterian Hospital and Columbia University agreed to a $4,800,000 settlement and substantive action plan. This involved a disclosure of 6,800 individuals including patient status, vital signs, medications, and lab results.
- Read the Resolution Agreement for Columbia University
- Read the Resolution Agreement for New York and Presbyterian Hospital
HIPAA is very complex and enforcement actions continue. If you have questions on HIPAA compliance, please contact Kinney & Larson.