The HR Legal News Blog

Loss of Unencrypted Laptop Leads to $1.7 Million HIPAA Settlement

What’s the price of losing a laptop computer?  If the laptop contains unsecured protected health information (PHI), we might be talking about millions of dollars.

Just ask Concentra Health Services.   In October 2008, Concentra determined that 27 percent of its laptops were not encrypted.  In November 2011, an unencrypted laptop was stolen from a Concentra physical therapy center in Springfield, Missouri.  A Department of Health and Human Services (HHS) investigation revealed that Concentra had failed to encrypt the devices and to implement adequate risk management measures despite the fact that they were aware of the problem at least three years before the theft of the laptop.  Under its Resolution Agreement with HHS, Concentra paid a whopping $1,725,220 in exchange for HHS’s agreement to release any claims it might have brought under HIPAA’s privacy and security regulations.

The Concentra settlement provides two important lessons for group health plans and other covered entities subject to HIPAA.  First, encrypting laptops and other portable devices should be the first line of defense against the loss of electronic protected health information.  Second, if a covered entity determines that encryption is not “reasonable and appropriate” and an alternative risk management strategy is preferable, the reasons for this determination should be clearly documented.

You might just save a couple of million dollars.