Recently, the Office of Civil Rights (OCR) levied nearly $2,000,000 in fines on two organizations in an effort to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) stemming from the theft of unencrypted laptops. Specifically, OCR fined provider organization Concentra Health Services $1,725,220 after an unencrypted laptop was stolen from one of its facilities, and fined Arkansas insurer QCA Health Plan Inc. $250,000 after an unencrypted laptop containing personal health information for 148 people was stolen from an employee's car.
These enforcement actions serve as a reminder of the significant risks unencrypted laptop computers and mobile devices pose to the security and integrity of sensitive patient information and underscore the need for all entities to encrypt their laptops and other devices. In response to these two incidents, Susan McAndrew, OCR’s deputy director of health information privacy, explained “our message to these organizations is simple: encryption is your best defense against these incidents.”
Accordingly, it is clear from these settlements that covered entities and business associates understand that encryption is an obligation and, consequently, respond appropriately to ensure they are HIPAA compliant or face heavy penalties.