May 1, 2014
Security Lessons From Concentra and QCA
"Covered entities" should consider using the Concentra, QCA and other resolution agreements as a road map for tightening HIPAA compliance.
“Encrypt your laptops and other mobile devices.”
That is one of the key lessons that leaders of health plans, health care providers, health care clearinghouses (“covered entities”) and their business associates should take away from the Department of Health and Human Services Office for Civil Rights (OCR)'s April 22 announcement that Concentra Health Services and QCA Health Plan of Arkansas collectively are paying $2 million under separate resolution agreements stemming from thefts of unencrypted laptops.
The agreements contain equally significant, more broadly applicable lessons about some of the specific processes, actions and documentation that OCR wants covered entities and associates to implement. They must be prepared to defend the adequacy of their Health Insurance Portability and Accountability Act (HIPAA) “culture of compliance” if they file a breach report or otherwise face a HIPAA audit or investigation from OCR.
Consequently, covered entities and their leaders should also consider using these and other resolution agreements as a road map for reviewing and tightening their management oversight and other HIPAA compliance documentation and practices generally.
Concentra Resolution Agreement
Under the Concentra Resolution Agreement, Concentra agrees to pay OCR $1.7 miliion and adopt a corrective plan to settle potential violations of the HIPAA Privacy and Security Rules and evidence their remediation of OCR’s findings.
OCR opened a compliance review of Concentra after receiving a breach report that an unencrypted laptop was stolen from its Springfield Missouri Physical Therapy Center on Nov. 30, 2011. OCR’s investigation concluded that Concentra previously had recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk. While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent, leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information.
QCA Resolution Agreement
QCA’s much smaller $250,000 monetary penalty under the QCA Resolution Agreement also resulted from a breach notification of the theft of an unencrypted laptop and also requires corrective actions. OCR opened its investigation after QCA reported in February 2012 that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from a workforce member’s car. OCR’s investigation revealed that while QCA encrypted its devices following discovery of the breach, QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012.
To resolve OCR’s charges that it violated HIPAA, QCA agreed to the $250,000 monetary settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures substantially similar to those imposed on the Concentra Resolution Agreement to reduce the risks to and vulnerabilities of ePHI. QCA is also required to retrain its workforce and document its continuing compliance efforts.
Unquestionably, encryption of laptops and other mobile device is a key takeaway of the resolution agreements against Concentra and QCA. OCR Deputy Director of Health Information Privacy Susan McAndrew made this point clear in the announcement of the agreements, stating: “Covered entities and business associates must understand that mobile device security is their obligation,” and, “Our message to these organizations is simple: Encryption is your best defense against these incidents.”
However, leaders of covered entities and business associates must not overlook the more subtle but equally important messages in these resolution agreements about the management oversight and other specific actions, documentation and other evidence that OCR may expect organizations to produce. The Concentra and QCA resolution agreements, as well as their predecessors, contain detailed information about various other processes and procedures that OCR views as necessary or helpful to compliance efforts.
Both the Concentra and QCA agreements, as well as the Skagit County Resolution Agreement announced in March 2014, require specific attestations from an officer of the entity that she reviewed reports, made reasonable inquiry regarding their content and believes them to be accurate. These attestation requirements send a clear message that OCR views leaders as responsible for taking ownership of HIPAA compliance in the same manner as typically applies to other federal sentencing guideline compliance efforts. See HIPAA Covered Entities Should Review & Correct HIPAA Policies In Response To New County Hospital Resolution Agreement, Other Developments. In light of this, leadership of all covered entities and their business associates should evaluate the adequacy of their current management oversight and documentation in proving the “culture of compliance” expected by HIPAA.
Both resolution agreements require that Concentra and QCA conduct and document and report to OCR on a series of specific steps toward compliance. OCR requires Concentra and QCA, among other things, to conduct a “thorough risk assessment” of the potential vulnerabilities to the confidentiality, integrity and availability of all ePHI, then develop and implement a “detailed risk management plan” that addresses the identified compliance concerns, the plan and timeline for their redress and steps for monitoring and verifying that those actions are taken.
From the resolution agreements' discussion, leaders should expect that the documentation and evidence that OCR may require their organizations to produce will include:
- A detailed risk management plan that explains the strategy for implementing appropriate security measures;
- Evidence of all implemented and all planned remediation actions, along with timelines for their expected completion; compensating controls must be identified that will be in place in the interim to safeguard Concentra ePHI;
- For any changes to information technology (IT) infrastructure, software or other components, an updated risk analysis must be prepared for ePHI;
- Documentation of the encryption status of mobile and other devices and PHI; an organization must track compliance with requirements to encrypt devices containing ePHI and must require specific review and documentation that ePHI will not be used on computer or other devices that are unencrypted.
- Documentation that required workforce training is completed, along with the training materials used, the topics covered, the length of the session(s), when training session(s) were held and attestations or other documentation from individual workforce members that verifies participation, understanding and affirmation of the need to comply with HIPAA.
The resolution also suggests what OCR expects from privacy officers in terms of periodic reports about compliance with HIPAA, and some of the types of information that should be included:
- A summary of the organization’s security management process and the security measures taken during the reporting period, including, if applicable, any documentation of training related to those measures;
- A summary of the organization’s encryption efforts taken during the reporting period; and
- A summary of the organization’s security awareness training efforts taken during the reporting period.
So, leaders of covered entities or business associates should consider requiring periodic reporting to management on their organization’s ePHI and other privacy and security compliance that will produce documentation.
Because the Concentra and QCA& resolutions are only two of several existing ones, and likely will be supplemented by others, management also should ensure that resolution agreements and other guidance and developments under HIPAA are systematically reviewed and responded to in a well-documented manner.