Unprecedented Penalties Send Strong Messages

by Mike Semel

Computer Theft 2On April 22, 2014, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced two stunning penalties for lost laptops that totaled almost $ 2 million. Concentra Health Services paid $ 1.7 million and QCA Health Plan paid $ 250,000 and each is implementing a Corrective Action Plan, adding more costs and work.

Several comments from the Resolution Agreements make these penalties different than what we have seen before. They highlight the fact that you cannot just identify risks, you must also manage them. They also send a strong message that just because HIPAA makes some requirements Addressable, not implementing them or compensating controls is unacceptable.

 

Firsts
This is the first time two breach penalties have been announced on the same day, indicating that OCR wants to hammer home the message that laptops should be encrypted.

The QCA breach was for just 148 medical records lost when a laptop was stolen from an employee’s car. The penalty is almost $ 1,700 per record, making it clear that even a small breach should be taken seriously.

This is the first time a breach penalty has not said that a Risk Analysis was missing. The OCR press release for the Concentra penalty stated that:
Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk. While steps were taken to begin encryption, Concentra's efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR's investigation further found Concentra had insufficient security management processes in place to safeguard patient information.

LESSON: Don’t Just Identify Risks, Manage Them
While all previous HIPAA penalties have cited the lack of a Risk Analysis, this penalty was for not managing risks that were identified in a Risk Analysis. Many think that HIPAA and Meaningful Use just require a Risk Analysis, and forget that they also require that identified risks be managed. This should also be a lesson for those who are keeping Windows XP computers and Office 2003 now that Microsoft has stopped issuing security patches and updates.

LESSON: Consider Addressable Requirements Required
HIPAA identifies some requirements as Addressable, allowing an organization to determine if the requirement is “reasonable and appropriate” and, if not, to implement alternative measures to accomplish the goal. It does not mean that the requirement is optional.

Many Covered Entities and Business Associates consider the requirement for encrypting data to be unreasonable or inappropriate. That is OK as long as they take other measures to protect the data, like leaving it on secure servers and setting up laptops for remote access. The Concentra laptop was stolen from one of its facilities, so locking it down may have been another option. It would have been better for Concentra if they had decided that encryption was required, since they are now encrypting their devices anyway.

LESSON: Encrypt Your Devices Now. If you lose an encrypted device it is not a reportable data breach.
Encryption probably would have cost $ 100 - $ 150 per device. Concentra reported in 2008 that 434 of 597 of its laptops were encrypted, so it would have cost under $ 25,000 to protect the remaining devices, and avoid a $ 1.7 million fine, plus the costs of a 2-year corrective action plan and any lawsuits filed by patients whose data was breached.