The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced in an April 22, 2014, press release that two separate entities—Concentra Health Services (“Concentra”) and QCA Health Plan, Inc. (“QCA”)—collectively have paid almost $2 million to resolve potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. OCR began its investigations of both entities after receiving breach reports regarding the theft of unencrypted laptop computers.

OCR received a breach report from Concentra on December 28, 2011, indicating that an unencrypted laptop was stolen on November 30, 2011, out of one of its physical therapy centers in Springfield, MO. Upon investigation, OCR discovered that Concentra had previously identified its lack of encryption as a risk, but had failed to adequately remediate and manage that risk, failed to document why encryption was not a reasonable and appropriate security measure, and failed to implement an equivalent alternative to encryption. Concentra also failed to adequately execute risk management procedures to reduce its identified lack of encryption risk. Based on the discovery of such potentially-violative conduct, Concentra agreed to pay OCR $1,725,220, and will be required (in addition to its reporting obligations) to encrypt all of its new devices and equipment, including its laptops, desktops, medical equipment, tablets, and other storage devices containing electronic protected health information (ePHI).

Mandatory encryption represents a more strict interpretation of HIPAA’s plain language, since the statute itself lists encryption as an “addressable” rather than a “required” safeguard implementation specification. See 45 C.F.R. § 164.312(a)(2)(iv). Admittedly, it is unclear whether OCR’s focus on and remedial mandate of encryption stemmed from Concentra’s own identification of its lack of encryption as a security risk. But recent comments by Susan McAndrew, Deputy Director for Health Information Privacy at OCR, while speaking at a HIMSS14 HIPAA compliance session, suggest that an increased wave of HIPAA enforcement and compliance audits are on the horizon. Combined with the encryption obligations listed in the Concentra Resolution Agreement, it is possible that OCR sees encryption as an emerging best practice, if not a close-to-required HIPAA safeguard.

In a similar set of events, OCR began its investigation of QCA after receiving a February 21, 2012, breach report that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from an employee’s car. OCR’s investigation revealed that QCA failed to implement policies and procedures to prevent, detect, contain, and correct security violations. QCA also failed to physically safeguard its ePHI-accessible workstations by neglecting to restrict access to authorized users. As a result, QCA has agreed to pay OCR $250,000, and will be required to develop risk analyses and risk management plans, provide mandatory security training to its employees, and promptly investigate any information that an employee failed to comply with security and privacy policies and procedures. Notably, although this breach implicated the ePHI of a smaller set of individuals, it still triggered an OCR investigation.

These two settlements represent the latest in a series of OCR compliance investigations and fines, including WellPoint Inc.’s July 2013 $1.7 million penalty for leaving ePHI accessible over the internet, thereby impermissibly disclosing the ePHI of 612,402 individuals. In addition, Affinity Health Plan received a $1.2 million fine in August 2013 for failing to properly dispose of a photocopier, which impermissibly disclosed the PHI of up to 344,579 individuals.

In an effort to provide preventative information to other health organizations, OCR has made available six educational programs for health care providers. Topics range from understanding the basics of HIPAA security risks to mobile device compliance measures.