On April 22, 2014, the US Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) announced that it had reached settlement agreements with two organizations alleged to have violated the Health Information Portability and Accountability Act of 1996 (“HIPAA”) in conjunction with the theft of unencrypted computers. HHS conducted a review of Concentra Health Services (“Concentra”) and QCA Health Plan, Inc of Arkansas (“QCA”), which had each provided HHS with notification of breach subsequent to those thefts.

HHS’s investigation into Concentra’s health data privacy practices concluded that “Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk. While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization.”  Similarly, HHS investigated the QCA breach and concluded that “while QCA encrypted their devices following discovery of the breach, OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning . . . in April 2005.”

Concentra agreed to pay $1,725,220 in relation to its settlement, and QCA agreed to pay $250,000. More information regarding these settlement agreements is available here. A copy of Concentra’s resolution agreement is available here; a copy of QCA’s resolution agreement is available here.