HIPAA violations underscore the need for device encryption
HIM-HIPAA Insider, April 28, 2014
Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!
HHS released a statement stressing the need for encryption, citing two recent OCR settlement agreements that totaled nearly $2 million as examples of the dangers posed by unencrypted devices in healthcare. Unencrypted computers and mobile devices pose a significant security risk for organizations because patient PHI is incredibly vulnerable in the event that one of these devices in stolen or hacked.
The OCR’s $1,725,220 resolution agreement with Concentra Health Services, a national healthcare company, for potential HIPAA violations stemming from the theft of an unencrypted laptop highlights the importance of encryption.
An OCR investigation revealed that during several risk analyses Concentra identified that its lack of encryption was a security threat. Although the organization took steps to encrypt its devices, its efforts were inconsistent and incomplete. Concentra failed to implement sufficient policies and procedures to detect and correct security violations by failing to execute appropriate risk management measures to reduce the lack of encryption, according to the resolution agreement.
Similarly, OCR agreed to a $250,000 monetary settlement with Arkansas-based QCA Health Plan, Inc., following an incident involving the theft of an unencrypted laptop containing PHI from a workforce member’s car. The health plan began its effort to encrypt its devices following the breach, but failed to comply with a multitude of HIPAA Privacy and Security Rule requirements from April 2005 to June 2012, according to the HHS statement. Much like Concentra, QCA Health Plan also failed to implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting a thorough risk assessment, according to the resolution agreement.
Encryption is the best defense for covered entities and business associates, Susan McAndrew, OCR’s deputy director of health information privacy, said in the statement.
Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!
Related Products
Most Popular
- Articles
-
- Don't forget the three checks in medication administration
- Five ways to safeguard your patients' valuables
- Note similarities and differences between HCPCS, CPT® codes
- The consequences of an incomplete medical record
- Q&A: Primary, principal, and secondary diagnoses
- Skills of effective case managers
- OB services: Coding inside and outside of the package
- Reimbursement for Facility and Professional Services in a Provider-Based Department by Gina M. Reese, Esq., RN
- Nursing responsibilities for managing pain
- Practice the six rights of medication administration
- E-mailed
-
- Plan of Care Supports Documentation of Homebound Status
- Q/A: Coding infusions to correct low potassium levels
- Note from the instructor: CMS clarifies billing guidelines on proper billing for drugs in a single-dose or single-use vial, including billing for discarded drugs
- Neurological checks for head injuries
- Modifiers and medical necessity
- HIPAA Q&A: Cameras in patient rooms
- Follow these tips to properly report bladder catheter codes
- Examine cardboard boxes stored on floor to avoid infection control, life safety citations
- Differentiate between types of wound debridement
- Consider two options for coding Rho(D) immune globulin given in pregnancy
- Searched