Both cases are linked to thefts of laptop computer that lacked data-protecting encryption, according to the agency, which has enforcement authority over HIPAA's privacy and security rules.
The civil rights office launched its investigation of Concentra after receiving a report of a breach incident at its Springfield (Mo.) Physical Therapy Center, the OCR statement said.
“OCR's investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information was a critical risk,” the OCR said. “While steps were taken to begin encryption, Concentra's efforts were incomplete and inconsistent over time, leaving patient PHI (protected health information) vulnerable throughout the organization. OCR's investigation further found Concentra had insufficient security management processes in place to safeguard patient information.”
Concentra agreed to pay $1,725,220 to settle potential security violations and to adopt a corrective action plan, the agency said.
Concentra has appeared twice before on the OCR's “wall of shame” website for security breaches. The agency posts all security breach incidents for which medical records of more than 500 individuals compromised. Both Concentra incidents involved stolen, unencrypted laptops—the first if Fort Worth, Texas, in November 2009, affecting 900 private records, and the second (in Springfield) in November 2011, affecting 870 records. Concentra also has reported 16 additional lesser breaches involving fewer than 500 individuals' records the OCR reports.
The QCA investigation began after a February 2012 report of a security breach involving the medical records of 148 individuals on an unencrypted laptop stolen from an employee's car. It revealed that QCA “failed to comply with multiple requirements of the HIPAA privacy and security rules,” the federal agency said. In addition to the settlement, QCA “is required to provide HHS with an updated risk analysis and corresponding risk-management plan that includes specific security measures to reduce the risks to and vulnerabilities of its electronic protected health information,” the OCR said.
This was the second federal monetary settlement agreement with a healthcare organization for breaches involving fewer than 500 records. The first occurred last year when Hospice of North Idaho, paid $50,000 in a settlement involving a lost laptop with 441 records.
About 116,000 of these lesser breaches have been reported, potentially affecting from at least 116,500 to as many as 58 million individuals, according to the OCR, which does not aggregate data on these lesser breaches. Another 977 larger breaches have been posted to the agency's website. In total, the larger breaches represent the exposure of 31.3 million records.
Follow Joseph Conn on Twitter: @MHJConn