HIPAA violations underscore the need for device encryption
HIM-HIPAA Insider, April 28, 2014
Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!
HHS released a statement stressing the need for encryption, citing two recent OCR settlement agreements that totaled nearly $2 million as examples of the dangers posed by unencrypted devices in healthcare. Unencrypted computers and mobile devices pose a significant security risk for organizations because patient PHI is incredibly vulnerable in the event that one of these devices in stolen or hacked.
The OCR’s $1,725,220 resolution agreement with Concentra Health Services, a national healthcare company, for potential HIPAA violations stemming from the theft of an unencrypted laptop highlights the importance of encryption.
An OCR investigation revealed that during several risk analyses Concentra identified that its lack of encryption was a security threat. Although the organization took steps to encrypt its devices, its efforts were inconsistent and incomplete. Concentra failed to implement sufficient policies and procedures to detect and correct security violations by failing to execute appropriate risk management measures to reduce the lack of encryption, according to the resolution agreement.
Similarly, OCR agreed to a $250,000 monetary settlement with Arkansas-based QCA Health Plan, Inc., following an incident involving the theft of an unencrypted laptop containing PHI from a workforce member’s car. The health plan began its effort to encrypt its devices following the breach, but failed to comply with a multitude of HIPAA Privacy and Security Rule requirements from April 2005 to June 2012, according to the HHS statement. Much like Concentra, QCA Health Plan also failed to implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting a thorough risk assessment, according to the resolution agreement.
Encryption is the best defense for covered entities and business associates, Susan McAndrew, OCR’s deputy director of health information privacy, said in the statement.
Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!
Related Products
Most Popular
- Articles
-
- Don't forget the three checks in medication administration
- Note similarities and differences between HCPCS, CPT® codes
- Complications from immobility by body system
- OB services: Coding inside and outside of the package
- The consequences of an incomplete medical record
- Q&A: Primary, principal, and secondary diagnoses
- Differentiate between types of wound debridement
- Practice the six rights of medication administration
- Nursing responsibilities for managing pain
- ICD-10-CM coma, stroke codes require more specific documentation
- E-mailed
-
- Correctly bill ancillary bedside procedures in addition to the room rate
- Q&A: Utilization Review Committee Membership
- Q&A: Bill blood administration the same way for inpatient and outpatient accounts
- Q&A: A second look at encephalopathy as integral to seizures/CVA
- Performing a SWOT analysis
- OB services: Coding inside and outside of the package
- Know the medical gas cylinder storage requirements
- Intravenous therapy guidelines
- Coding, billing, and documentation tips for teaching physicians, interns, residents, and students
- Coding tip: Watch for different codes for SI joint injections
- Searched