An unencrypted laptop stolen from a Missouri physical therapy center has resulted in a $1.7 million fine against the center's owners.
The US Department of Health and Human Services Office for Civil Rights (OCR) announced that Concentra Health Services has agreed to pay the fee to settle potential violations of HIPAA rules when a laptop was stolen from the Springfield Missouri Physical Therapy Center, owned by Concentra. The laptop was unencrypted and contained health records protected by HIPAA.
According to a press release from OCR, investigations into the incident "revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk," but made "incomplete and inconsistent" efforts to properly encrypt computers and other devices.
“Covered entities and business associates must understand that mobile device security is their obligation,” said Susan McAndrew, OCR’s deputy director of health information privacy in the press release. “Our message to these organizations is simple: encryption is your best defense against these incidents.” In addition to the fines, Concentra has agreed to adopt a corrective action plan and document its efforts at remediation.
Under the HIPAA Omnibus Rule released in January 2013, providers—including physical therapists—can be subjected to extreme financial penalties for data breaches ranging from $100 per violation to a maximum of $1.5 million in a calendar year.
OCR also announced the settlement of a February 2012 breach from QCA Health Plan Inc of Arkansas involving the theft of ePHI of 148 individuals. The settlement in that case was $250,000.
HIPAA rules can be complex, but the consequences of not understanding them can be serious. APTA provides resources on compliance on APTA's HIPAA webpage. In addition, OCR offers 6 educational programs on HIPAA compliance, including a program devoted to mobile device security.
American Physical Therapy Association | 1111 North Fairfax Street, Alexandria, VA 22314-1488 703/684-APTA (2782) | 800/999-2782 | 703/683-6748 (TDD) | 703/684-7343 (fax)
Contact Us | For Advertisers & Exhibitors | For Media | Follow APTA
All contents © 2014 American Physical Therapy Association. All Rights Reserved.