On April 22, 2014, Health and Human Services’ Office of Civil Rights (OCR) published two additional Resolution Agreements which resolve potential HIPAA violations involving stolen laptops that contained protected health information but which were not encrypted.
The first Resolution Agreement concerns Concentra Health
Services, a health care provider located in Springfield, Missouri (Concentra),
which had an unencrypted laptop stolen from one of Concentra’s physical therapy
centers during November 2011. The second Resolution Agreement concerns
QCA Health Plan, Inc. of Arkansas which had an unencrypted laptop stolen from a
workforce member’s car.
A copy of both Resolution Agreements can be found on the OCR
website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/stolenlaptops-agreements.html.
Please be advised that if you or your organization qualifies
as a HIPAA Covered Entity or Business Associate, it is essential that your
HIPAA Security Risk Assessment, in addition to your HIPAA Policies and
Procedures, are up-to-date, particularly in regard to the HIPAA security
safeguards, including but not limited to encryption, that are necessary to
protect laptops and other mobile devices from a Breach involving Unsecured
PHI.
If you have questions, please contact Susan Ziel at sziel@kdlegal.com.