Two entities have paid the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
After receiving a breach report of a stolen laptop from Concentra Health Services, an OCR investigation determined that multiple risk analyses had identified un-encrypted laptops as a critical risk but the company had failed to consistently secure devices.
The second company, QCA Health Plan, reported a laptop stolen from an employee’s car, and an investigation by the OCR revealed that they had failed to comply with multiple requirements of the HIPAA Privacy and Security Rules.
The Resolution Agreements can be found on the OCR website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/stolenlaptops-agreements.html
Encryption for laptops has significantly matured and can be implemented readily on desktops and laptops:
On the Mac: FileVault2 – http://support.apple.com/kb/ht4790
On the PC: BitLocker – http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption
Contact Double-Helix to learn more about best practices for transparent encryption of your company laptops.
Having a consistent process of implementing encryption across your devices will prevent your organization from having to report a breach if a laptop is lost or stolen.
