No. Recent enforcement suggests that the government thinks providers who are "working on" HIPAA policies and procedures should know better.Two recent HIPAA settlements involving stolen laptops show that the government has little patience for providers’ slow or incomplete efforts to implement HIPAA Security.
- Concentra Health Services paid $1,725,220 in settlement after an unencrypted laptop was stolen from its physical therapy facility. During its investigation, the government found that Concentra had identified that its lack of encryption was a critical risk. Concentra had begun the encryption process, but had not completed it—leaving PHI vulnerable. This settlement is a reminder that providers who are working on HIPAA security will not be “given a break” if they have a breach. In fact, it seems the government expects providers who have begun the Security process to know better.
- QCA Health Plan, Inc. agreed to a $250,000 settlement after an unencrypted laptop was stolen from an employee’s car. QCA encrypted all devices after the breach, but this was not enough to spare them a penalty. The government investigation found that QCA failed to comply with the Privacy and Security rules between 2005 and 2012. This settlement is another example of how incomplete attempts to comply with the HIPAA Privacy and Security rules do not count for much in the eyes of the enforcers.
Remember: HIPAA audits are coming soon. Now is the time to make sure you have addressed HIPAA Privacy, Security and Breach Notification Rules in your organization. Are you confident that you could competently respond to an OCR HIPAA audit? For help implementing HIPAA, see MPA’s HIPAA Guidance page.