In a story covered on about HIPAA Breach in Healthcare IT News this week, the HHS Office for Civil Rights settled with two organizations for just under a combined $2 million this week after it was discovered that both had PHI-containing unencrypted laptops stolen. As OCR deputy director of health information policy Susan McAndrew pointed out, the large fines are meant to drive home the
point that unencrypted laptops and mobile devices pose significant risks to patients and must be corrected.The first and bigger of the two fines was levied against Concentra Health Services when it was discovered that an unencrypted laptop was stolen from one of its facilities. OCR made a particular note of the fact that Concentra, through a series of risk analyses over a period of years, had been put on notice that it was allowing patient information to be shared on unencrypted desktop computers, tablets, and mobile phones. Instead of correcting these deficiencies through a documented remediation plan, however, Concentra allowed the bad practices to continue despite the known Security Rule violations. In the end, OCR fined Concentra over $1.7 million for the breach and forced the healthcare organization to adopt a corrective action plan and work with HHS to fix the known issues.“Our message to [healthcare] organizations is simple,” McAndrew said. “Encryption is your best defense against these incidents.”
We’ve argued on this blog about how important mobile device encryption is for a healthcare facility, and the Concentra incident only bolsters our stance. That said, implementation issues are always a concern for a healthcare IT executive, which could explain why healthcare organizations are slow to adopt technologies such as Encryption and Secure Texting that could potentially take millions of dollars of risk off of the table.
Nevertheless, when the implementation is as easy as installing an encrypted mobile application on the phone and writing a policy requiring providers to only send PHI through that channel, an administrator’s job is just about done. In an age of dramatically increasing federal fines, it’s too easy to have a provider lose a mobile device and trigger a full-blown OCR investigation. Encrypt your endpoints and avoid being front page news.
With over two decades of technology entrepreneurship background, Krishna Kurapati started QliqSOFT with the strong desire to solve clinical collaboration and workflow challenges in US Healthcare. During the late 90s, Krishna co-founded IPCell to build the first Cable IP Telephony switch, eventually selling the company to Cisco Systems. In 2003, he started Sipera (acquired by Avaya Systems) to solve security issues for Unified Communications' and raised over $30MM in venture funding. Additionally, he has been actively involved in the early-stage financing of startups in both the US and India.
Engaging Patients and Connecting Care Teams Through Interactive Digital ConversationsLearn More
Prior to the pandemic, telehealth visits ─ delivering patient-provider visits virtually ─ was an afterthought in the care continuum — ill-regarded and little-used beyond patients in rural areas who had few care choices. Virtual visits comprised less than 1% of all outpatient visits. Private insurers generally follow guidelines from the Centers for Medicare & Medicaid Services (CMS), which allowed telehealth in only limited circumstances and paid at 30% below in-office reimbursement rates.