HHS has announced Springfield, Mo.-based Concentra Health Services and QCA Health Plan, an insurer, will pay a combined $2 million to resolve HIPAA violation investigations that stem from the theft of unencrypted laptops containing patient information.
After receiving notification from Conentra that an unencrypted laptop had been stolen from a Concentra facility, HHS' Office for Civil Rights began an investigation that revealed Concentra was aware of the risk of using unencrypted laptops, as the healthcare provider had previously highlighted unencrypted devices as one of its major risks in previous risk analyses, according to the news release.
Additionally, the investigation revealed Concentra did not have adequate mechanisms in place to safeguard patient information, according to the news release.
As a result of the breach and subsequent investigation, Concentra and the OCR have entered into a resolution agreement, and Concentra has agreed to pay the OCR $1.7 million to settle the potential HIPAA violations. Under the agreement, Concentra is also required to implement a corrective action plan that specifically requires Concentra to adopt and maintain a security plan that protects its patients' information.
In 2012, QCA notified OCR an unencrypted laptop had been stolen from a QCA employee's vehicle. The laptop contained 148 patients' protected health information, according to the news release.
After receiving the breach notice, OCR began an investigation into the breach and into QCA regarding HIPAA compliance. The investigation revealed QCA had failed to be fully HIPAA compliant from 2005 to 2012, according to the news release.
As a result of OCR's findings, QCA has agreed to pay $250,000 to resolve the HIPAA investigation, according to the news release.
More Articles on HIPAA Compliance:
4 Steps to Mitigate Data Security Risks, Maintain HIPAA Compliance
HHS: Round 2 HIPAA Audit Details Revealed
8 Recent Data Breaches Caused by Laptop Thefts