Lost or stolen unencrypted mobile devices — commonly laptops — are the primary cause of major healthcare data breaches. This unfortunate trend persists, despite warnings from the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) to healthcare providers and covered entities to encrypt electronic protected health information (ePHI) and avoid violations of the Health Insurance Portability and Accountability Act (HIPAA).
The OCR recently announced two settlements totaling nearly $2 million to resolve potential HIPAA privacy and security rule violations due to the theft of unencrypted laptops.
The first settlement involves a stolen laptop owned by a provider of urgent care services. The OCR investigation revealed that the entity recognized the risk presented by unencrypted devices containing ePHI and had initiated steps to begin the encryption process. However, the OCR determined those efforts were incomplete and inconsistent, leaving patient information vulnerable throughout its organization. The entity agreed to pay $1.72 million and adopt a corrective action plan.
The second settlement stems from a laptop stolen from the car of an employee of a healthcare insurance provider. Although the insurer began encrypting its devices after discovering the breach, OCR’s investigation revealed multiple violations of the HIPAA privacy and security rules over several years. The insurer agreed to a $250,000 monetary settlement and is required to provide the HHS an updated risk analysis and risk management plan with specific security measures, including retraining its workforce and documenting its ongoing compliance efforts.
The OCR continues to send a strong message to HIPAA-covered entities and their business associates of their obligation to ensure the security of their mobile devices and the significant risks posed by unencrypted laptop computers and other devices. At the same time, officials are stepping up enforcement actions to positively influence the priorities and culture of organizations charged with safeguarding patient information.
Covered entities and their business associates can better protect themselves and the privacy and security of patient data by enhancing their HIPAA compliance program.