Recently, HHS Office of Civil Rights (OCR) announced that it has entered into settlement agreements with two entities following enforcement actions, both arising from stolen laptops that were not encrypted in accordance with the Security Rule.
According to HHS, an unencrypted laptop was stolen from a physical therapy center in Springfield, Missouri. The center was part of a larger health system, Concentra Health Services. Through conducting required HIPAA risk analyses, Concentra had previously recognized that the lack of encryption on its devices posed a security risk. However, HHS found that Concentra’s efforts to address this risk were “incomplete and inconsistent over time.” Concentra has agreed to pay over $1.7 million to settle potential violations, as well as to submit a corrective action plan. This significant monetary penalty suggests HHS will not look favorably upon violations of the Security Rule that the covered entity has documented but not taken reasonable efforts to correct.
Continue Reading Two HIPAA Settlements Follow Stolen Laptops