Concentra Health Services and QCA Health Plan, Inc. reached separate resolution agreements with the Office for Civil Rights (OCR) of potential violations of Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules arising from the theft of the entities’ unencrypted laptops, an agency press release announced.
In one agreement, Concentra Health Services will pay $1,725,220 to settle potential violations associated with the November 2011 theft of an unencrypted laptop from its Springfield Missouri Physical Therapy Center and adopt a corrective action plan (CAP). According to OCR, its compliance review revealed Concentra, before the theft, identified the lack of encryption on laptops and other devices containing electronic protected health information (ePHI) as a critical risk.
“While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization,” OCR said.
Under the second agreement, QCA Health Plan, Inc. of Arkansas will pay $250,000 to resolve potential HIPAA Under its CAP, QCA must provide the Department of Health and Human Services with an updated risk analysis and corresponding risk management plan, retrain its workforce, and document its ongoing compliance efforts, OCR said. OCR said the resolution agreement with QCA Health followed a February 2012 breach notice reporting the theft of an unencrypted laptop containing ePHI of 148 individuals from an employee’s car.
“While QCA encrypted their devices following discovery of the breach, OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012,” OCR said.
Neither agreement is an admission of liability.