Looking over my newsfeed, I see that many healthcare-focused sites have been proclaiming that the Feds are getting serious over missing laptops and pushing the story on the importance of HIPAA laptop encryption. Earlier this month, the Health and Human Services Department’s Office for Civil Rights (OCR) announced million-dollar settlements with Concentra Health Services and QCA Health Plan.
The former settled for approximately $1.7 million, while QCA agreed to a $250,000 settlement. The latter’s settlement pales in comparison to Concentra’s (or to the other two big HIPAA settlements this month, New York Presbyterian Hospital and Columbia University Medical Center: $3.3 million and $1.5 million, respectively).
Indeed, on the surface of it, the latter’s penalty is confusing because QCA appears to have been more negligent.
Fines Up to $1.5 Million
You may have noticed that Concentra’s fine goes over the $1.5 million so-called “monetary penalty cap” under HIPAA. This is not the first time something like this has happened. NY Presbyterian, as I noted above, paid $3.3 million for its data breach and Cignet Health in Maryland was fined $4.3 million. The unexpectedly high dollar figures are easily explained. The cap is “per incident.” If Concentra had engaged in multiple HIPAA violations, then the sum of the penalties associated with these violations is not limited to just $1.5 million, although that is the limit for each HIPAA violation (not to be confused with each data breach).
OCR deputy director of health information privacy, Susan McAndrew, had this to say regarding Concentra and QCA settlements: “Our message to [HIPAA covered entities] is simple: Encryption is your best defense against these incidents.”
But there may be more that the OCR wants to tell us.
Laptop Theft in Car < Laptop Theft in Premises?
Another thing that should attract your attention is the location where the respective data breaches took place. QCA’s unencrypted laptop was stolen from an employee’s car, a classic no-no. Concentra’s unencrypted laptop was stolen from one of its facilities.
This could be a warning to covered entities that falsely assume they can skimp on encryption if data is not expected to be taken out of their security perimeters, among other things (such as properly documenting everything).
Related Articles and Sites: