Unencrypted Laptops Stolen, Resulting in OCR Resolution Agreements Totaling $1,975,220

 click here to learn more...
On April 22, 2014, Health and Human Services’ Office of Civil Rights (OCR) published two additional Resolution Agreements which resolve potential HIPAA violations involving stolen laptops that contained protected health information but which were not encrypted.

The first Resolution Agreement concerns Concentra Health Services, a health care provider located in Springfield, Missouri (Concentra), which had an unencrypted laptop stolen from one of Concentra’s physical therapy centers during November 2011.  The second Resolution Agreement concerns QCA Health Plan, Inc. of Arkansas which had an unencrypted laptop stolen from a workforce member’s car.

A copy of both Resolution Agreements can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/stolenlaptops-agreements.html.

Please be advised that if you or your organization qualifies as a HIPAA Covered Entity or Business Associate, it is essential that your HIPAA Security Risk Assessment, in addition to your HIPAA Policies and Procedures, are up-to-date, particularly in regard to the HIPAA security safeguards, including but not limited to encryption, that are necessary to protect laptops and other mobile devices from a Breach involving Unsecured PHI. 

If you have questions, please contact Susan Ziel at sziel@kdlegal.com.