Jeff test privacy 2

Jeff test privacy 2
By Healthcare IT News
02:52 PM
Share

The biggest of the two settlements was levied against Concentra Health Services, after OCR opened an investigation following a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center. The probe found that Concentra had previously recognized, in multiple risk analyses, that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information was a critical risk.

Steps were taken to begin encryption, but Concentra’s efforts were "incomplete and inconsistent over time," according to an HHS press release, leaving patient PHI vulnerable throughout the organization. In addition, OCR’s investigation found that Concentra had put in place sufficient security management processes to protect that information. As such, Concentra has agreed to pay $1,725,220 to settle potential violations and will "adopt a corrective action plan to evidence their remediation of these findings," according to HHS.

Meanwhile, OCR received a breach notice in February 2012 from Arkansas-based QCA Health Plan, reporting that an unencrypted laptop with the PHI of 148 individuals was stolen from an employee's car. QCA encrypted its devices following discovery of the breach, but OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rule, beginning from the compliance date of the security rule in April 2005 and ending in June 2012.

To make amends, QCA has agreed to a $250,000 settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its PHI. It is also required to retrain its workforce and document its ongoing compliance efforts.

The biggest of the two settlements was levied against Concentra Health Services, after OCR opened an investigation following a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center. The probe found that Concentra had previously recognized, in multiple risk analyses, that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information was a critical risk.

Steps were taken to begin encryption, but Concentra’s efforts were "incomplete and inconsistent over time," according to an HHS press release, leaving patient PHI vulnerable throughout the organization. In addition, OCR’s investigation found that Concentra had put in place sufficient security management processes to protect that information. As such, Concentra has agreed to pay $1,725,220 to settle potential violations and will "adopt a corrective action plan to evidence their remediation of these findings," according to HHS.

Meanwhile, OCR received a breach notice in February 2012 from Arkansas-based QCA Health Plan, reporting that an unencrypted laptop with the PHI of 148 individuals was stolen from an employee's car. QCA encrypted its devices following discovery of the breach, but OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rule, beginning from the compliance date of the security rule in April 2005 and ending in June 2012.

To make amends, QCA has agreed to a $250,000 settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its PHI. It is also required to retrain its workforce and document its ongoing compliance efforts.