The investigation of stolen laptop from Concentra revealed “a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk” as reported by the Office for Civil Rights (OCR) of the US Department of Health and Human Services. The April 2014 settlement included Concentra paying $1,725,220 to settle potential violations and the adoption of a corrective action plan that included the following “Encryption Status Update Requirements” within 120 days and a year thereafter:
a. The percentage of all Concentra devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) that are encrypted at that point in time.
b. Evidence that all new devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) have been encrypted.
c. An explanation for the percentage of devices and equipment that are not encrypted.
d. A breakdown of the percentage of encrypted devices and equipment for each specific Concentra facility and worksite.
Also the settlement included an obligation for Concentra to report to OCR that it has provided “Security Awareness Training.”
Hopefully these OCR investigation reports will encourage better HIPAA compliance.