• News New Blog Banner

  • Laptop Stolen From Physical Therapy Center Results in $1.7 Million HIPAA Fine

    An unencrypted laptop stolen from a Missouri physical therapy center has resulted in a $1.7 million fine against the center's owners.

    The US Department of Health and Human Services Office for Civil Rights (OCR) announced that Concentra Health Services has agreed to pay the fee to settle potential violations of HIPAA rules when a laptop was stolen from the Springfield Missouri Physical Therapy Center, owned by Concentra. The laptop was unencrypted and contained health records protected by HIPAA.

    According to a press release from OCR, investigations into the incident "revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk," but made "incomplete and inconsistent" efforts to properly encrypt computers and other devices.

    “Covered entities and business associates must understand that mobile device security is their obligation,” said Susan McAndrew, OCR’s deputy director of health information privacy in the press release. “Our message to these organizations is simple: encryption is your best defense against these incidents.” In addition to the fines, Concentra has agreed to adopt a corrective action plan and document its efforts at remediation.

    Under the HIPAA Omnibus Rule released in January 2013, providers—including physical therapists—can be subjected to extreme financial penalties for data breaches ranging from $100 per violation to a maximum of $1.5 million in a calendar year.

    OCR also announced the settlement of a February 2012 breach from QCA Health Plan Inc of Arkansas involving the theft of ePHI of 148 individuals. The settlement in that case was $250,000.

    HIPAA rules can be complex, but the consequences of not understanding them can be serious. APTA provides resources on compliance on APTA's HIPAA webpage. In addition, OCR offers 6 educational programs on HIPAA compliance, including a program devoted to mobile device security.


    • Funny we the people have to follow the HIPAA rules but the government does not. Weintraub said he's worried that by not forcing the healthcare.gov site to comply with HIPAA, applicants' personal information could be put at risk. "Because the Obamacare website has no promise of privacy, ... they've revealed that any and all info collected through the site can and may be shared with absolutely everybody. ... What they have done is essentially turned several hundred years of established medical privacy completely on its head and thrown it out the window," Weintraub said. "There's no wiggling out from under it for anyone else, other than the federal government apparently." http://www.crn.com/news/channel-programs/240163174/obamacare-site-not-hipaa-compliant-doesnt-need-to-be.htm

      Posted by thor on 4/28/2014 3:37 PM

    Leave a comment
    Name *
    Email *