Blogs-Practical Benefits Lawyer

Two Covered Entities Settle Potential Violations of HIPAA Privacy and Security Rules For Approximately $2 Million

May 16, 2014
The U.S. Department of Health and Human Services (?Ç£HHS?Ç¥) recently announced resolution agreements (?Ç£RAs?Ç¥) with two covered entities, a health care provider and an insurer, under HIPAA?ÇÖs privacy and security rules (the ?Ç£Rules?Ç¥), requiring combined payments of approximately $2 million to settle potential violations of the Rules.?á Both RAs stemmed from investigations conducted by HHS as a result of breach notifications the covered entities submitted to report the thefts of laptop computers containing unencrypted electronic protected health information (?Ç£ePHI?Ç¥).?á Apart from the settlement payments, the RAs impose two-year corrective action plans, including the performance of risk analysis, implementation of risk management plans and training, and periodic follow up activities with HHS. Although failure to encrypt ePHI is not a per se violation of the Rules, the HHS news release regarding the RAs underscores HHS?ÇÖ view that unencrypted laptops and other mobile devices pose significant risks to the security of ePHI, and ?Ç£encryption is [a covered entity?ÇÖs] best defense against these incidents.?Ç¥ A copy of the health care provider?ÇÖs resolution agreement is available here. A copy of the insurer's resolution agreement is available?áhere. A copy of the HHS news release is available?áhere.
Media Contacts