The Violation

Concentra Health Services has been fined approximately $1.7 million and Arkansas insurer QCA Health Plan Inc. $250,000 by OCR for stolen laptops containing unencrypted Protected Health Information (PHI). (Stolen laptops lead to important HIPAA settlements). According to OCR, both Organizations demonstrated long-term non-compliance with HIPAA. Along with the fines, both organizations have committed to resolution agreements to resolve their respective HIPAA deficiencies.

In response to this settlement, an announcement titled, “Stolen Laptops Lead to Important HIPAA Settlements,” OCR noted, “These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices.” Susan McAndrew, deputy director of health information privacy, repeated: “Covered entities and business associates must understand that mobile device security is their obligation. Our message to these organizations is simple: encryption is your best defense against these incidents.”

Protect your Organization

Encryption and decryption of data in digital devices (including, but not limited to those that are portable or re-useable) should be undertaken in compliance with the Organization’s strategic IT plan. Data encryption should be managed according to HIPAA Security and NIST compliance regulations to prevent wrongful access, use and disclosure of PHI and other types of sensitive information. It is anticipated that the amount of encryption will increase over time as the different states of data (i.e., in motion, at rest and in use) are addressed. HIPAA privacy rule breach safe harbor will be established by the use of compliant encryption and decryption for as many of the data sets within this organization as possible. If a device is lost of stolen and is encrypted via a NIST approved method, HIPAA safe harbor states that the Organization does not need to report the breach.

Organization’s should regularly conduct security awareness training training for their Workforce members. This training should include: avoidance of using mobile devices where events or human error can occur result in their loss or theft; mobile devices should never be left in a visible location inside a vehicle; if a device is stolen during travel, report to local police and complete an investigation report immediately; any lost or stolen device must immediately be reported to this Organization’s Security Officer or their designee.

Practical Advice:

Tips from HHS

  • Install and enable encryption to protect health information stored or sent by mobile devices
  • Use a password or other authentication
  • Install and activate wiping and/or remote disabling to erase the data on your mobile device if stolen
  • Disable and do not install or use file sharing applications
  • Install and enable a firewall to block unauthorized access
  • Install and enable security software to protect against malicious applications, viruses, spyware and malware based attacks
  • Keep your security software up to date
  • Research mobile apps before downloading
  • Maintain physical control of your mobile device—Know where it is at all times to limit the risk of unauthorized use
  • Use adequate security to send or receive health information over public Wi-Fi networks
  • Delete all stored health information on your mobile device before discarding it
  • Provide mobile device privacy and security awareness training

More information can be found on the HealthIT.gov website.

Final Thoughts

Follow the general rule that any device that leaves the Organization should be encrypted regardless if it contains PHI or not. If the device is lost or stolen the data will not be accessible and thus under the provision of safe harbor the breach does not need to be reported. Utilizing low cost encryption methodologies can save your Organization time and money, especially when HIPAA related fines can reach upwards of $1.5 million per breach.

Our IT Solutions for Healthcare Providers: Overview

  • Managed IT Support Services – 24/7/365 remote monitoring
  • IT Service Plans – onsite, remote and virtual computer network tech support
  • Hardware and Software management and upgrades
  • Virus, spyware and security protection for your computers and servers
  • Complete support and solutions for your practice
  • HIPAA/HITECH Compliance and Tech Support services

No Medical Practice is too small

  • Small Medical Practice (1 – 4 Physicians)
  • Medium Sized Medical Practice (5 – 10 Physicians)
  • Larger Medical Practice (11 – 50+ Physicians)
Give us a call now at 201-493-1414 – your Computer Network will thank you!



Request a Consultation


If you are located in New Jersey or NJ NY area, and are looking for Managed IT services and Computer Support for your Medical Practice – look no further: we are here to provide your medical practice with reliable IT Support.

Share This