The federal government isn’t exactly known as an entity that commonly takes quick and decisive action. We like to bemoan our do-nothing Congress and the stifling layers of bureaucracy that stand between leadership and actual legislation. Yet in some cases, the feds like to keep us on our toes; such is the story with recent hefty fines levied against a couple of healthcare entities found guilty of playing fast and loose with patient information.
For those healthcare providers still resistant to upgrading their IT security practices, consider yourselves warned: the grand total in fines for these two entities and their violations of HIPAA Privacy and Security Rules came to nearly two million dollars. If you still think no one is paying attention to what healthcare institutions are doing to guarantee patient privacy and healthcare information security, think again.
Crimes and Punishments
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) levied the fines. Speaking on behalf of OCR, Susan McAndrew, deputy director of health information privacy, stated: “Covered entities and business associates must understand that mobile device security is their obligation. Our message to these organizations is simple: encryption is your best defense against these incidents.”
The incidents that led to these hefty fines involved stolen unencrypted laptops. In the first incident, discovered by OCR during a HIPAA compliance review of a physical therapy program administered by Concentra Health Services in Springfield, Missouri. Here are the facts:
- Concentra conducted a number of risk analysis studies and discovered that unencrypted laptops, desktops, and other mobile devices such as laptops all contained sensitive patient information.
- Concentra failed to take any significant action to guard patient information against these admitted points of vulnerability.
- As a result of their failure to take action to resolve the security risks and a finding of generally insufficient patient information security, Concentra will have to write a $1,725,220 check. That’s enough to make anyone need physical therapy.
In the other incident, Arkansas-based QualChoice QCA Health Plan, Inc. reported theft of an unencrypted laptop containing the sensitive patient information of nearly 150 people. The laptop in question was stolen from a QCA employee’s car. Hindsight being 20/20, QCA took immediate action to encrypt the remainder of their devices, but OCR determined that in this case it was just too little, too late. QCA settled with OCR for $250,000 and must also submit a healthcare technology security risk analysis and corresponding plan to guard itself against any discovered points of IT security weakness.
So, if your organization is behind the times with regard to healthcare information security, you may also be behind the 8-ball of federal HIPAA enforcement efforts. If your institution is still working on unencrypted devices, here are a few immediate steps to take:
- Perform a thorough risk analysis of your healthcare IT security
- Address any discovered chinks in your infosec armor
- Retrain staff on meeting current standards
- Keep thorough records of steps taken to improve healthcare IT security in the event that you find yourself under investigation following a breach
Health and Human Services’ OCR offers a number of training programs for healthcare providers. Designed to help personnel understand HIPAA Privacy and Security Rules and ensure compliance, these programs are free with Continuing Medical Education credits available. For more information, visit OCR’s training site.