Concentra Health Services, Addison, Texas, a subsidiary of Humana and a provider of occupational medicine and other health services, has agreed to pay more than $1.7 million in a federal Health Insurance Portability and Accountability Act
privacy and security rule settlement, HHS' Office for Civil Rights announced.
In addition, QCA Health Plan of Arkansas in Little Rock agreed to pay $250,000 in a similar settlement, the civil rights office reported in a news release.
Both cases are linked to thefts of laptop computers that lacked data-protecting encryption, according to the agency, which has enforcement authority over HIPAA's privacy and security rules.
The civil rights office launched its investigation of Concentra after receiving a report of a breach incident at its Springfield, Mo., physical therapy center, according to the statement.
The “investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information was a critical risk,” the Office for Civil Rights said. “While steps were taken to begin encryption, Concentra's efforts were incomplete and inconsistent over time, leaving patient PHI (protected health information) vulnerable throughout the organization. OCR's investigation further found Concentra had insufficient security-management processes in place to safeguard patient information.”
Concentra agreed to pay $1.7 million to settle potential security violations and to adopt a corrective action plan, the agency said.
The QCA investigation began after a February 2012 report of a security breach involving the medical records of 148 individuals on an unencrypted laptop stolen from an employee's car. It revealed that QCA “failed to comply with multiple requirements of the HIPAA privacy and security rules,” the federal agency said. In addition to the settlement, QCA “is required to provide HHS with an updated risk analysis and corresponding risk-management plan that includes specific security measures to reduce the risks to and vulnerabilities of its electronic protected health information,” the civil rights office said. Follow Joseph Conn on Twitter: @MHJConn