The federal watchdog for patient privacy this week obtained a stiff $1.7 million settlement for lax data security practices from the nation's leading worker's comp health services company, officials said.
The settlement by Humana subsidiary Concentra Health Services—the second-largest ever of its kind—comes as the Health and Human Services' Office for Civil Rights prepares to adopt a more aggressive approach to investigating compliance with so-called HIPAA privacy and security rules beginning this year.
Instead of just relying on self-reported breaches of patients' data, HHS's civil rights office will be be launching a "permanent audit program" that will check compliance with patient privacy rules by not only medical providers, insurance plans, and hospitals, but also by their business associates, such as billing companies, said Rachel Seeger, OCR spokeswoman.
"We hope to audit 350 covered entities and 50 business associates in this first go-round," Seeger said. "Selected entities will receive notification and data requests in fall 2014, with business associate audit subjects being included in 2015."
The audits and settlements are designed to spur compliance with the requirement that health-related entities and their associates secure patient information kept on mobile devices.
"Our message to these organizations is simple: Encryption is your best defense against these incidents," said Susan McAndrew, OCR's deputy director of Health Information Privacy.
Since 2008, the civil rights office has sought and obtained just 19 settlements with health entities related to Health Insurance Portability and Accountability Act (HIPAA) privacy and security rule issues, mostly for some kind of data breach, the spokeswoman Seeger noted.
Those included one in 2009 with CVS Pharmacy, which paid $2.25 million, the largest such settlement ever, after media reports claimed the chain improperly disposed items containing patient information in dumpsters. OCR found CVS had failed to safeguard HIPAA-protected information, and also had failed to adequately train employees in how to get dispose of that information properly.
Another high-profile settlement came in 2011, when UCLA Health Services agreed to pay $865,000 after complaints that employees there had improperly viewed health information about pop singer Britney Spears and "Charlie's Angels" actress Farrah Fawcett.
But those and the other 17 settlements represent a tiny fraction of the 981 breaches affecting more than 500 individuals that have been reported since reporting began in 2009, reflecting the fact that OCR prefers to obtain voluntary compliance or corrective action, as opposed to monetary settlements.
However, OCR's looming permanent audit system could lead to more large settlements such as the one with Concentra, whose 330 locations serve 30,000 people each day in 38 states. The company, which provides occupational medicine, urgent care, physical therapy, and wellness services, boasts of treating one-out-of-every-seven worker's compensation case victims in the U.S.
Concentra's data breaches included the thefts of two unencrypted laptops containing data about a combined 1,770 patients—one theft in 2009, and another in 2011. Seeger said Concentra also had 16 other breaches that each involved fewer than 500 individuals.
Entities must self-report breaches involving more than 500 individuals within 60 days of the event to OCR, but only have to report breaches involving fewer people on an annual basis.
"OCR's investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information [ePHI] was at critical risk," OCR said in a prepared statement.
"While steps were taken to begin encryption, Concentra's efforts were incomplete and inconsistent over time, leaving patient PHI vulnerable throughout the organization. OCR's investigation further found Concentra had insufficient security management processes in place to safeguard patient information," the agency said.
Ross McLerran, a spokesman for Concentra's parent company Humana, said in a statement, "Since self-reporting a stolen company laptop in 2011, Concentra has worked closely with the U.S. Department of Health and Human Services Office for Civil Rights to ensure confidentiality of protected health information. We received no indication that any information on the laptop was accessed or used inappropriately. Concentra remains focused on serving the health and well-being needs of our employers and patients with the highest integrity and utmost respect."
OCR's new audit strategy also could lead to more enforcement action and settlements with entities such as Arkansas-based insurer QCA Health Plan. This month, QCA paid a $250,000 settlement with the agency after self-reporting the October 2011 theft of a laptop that contained data about just 148 patients, which an employee had left in their car under a seat.
QCA, the state's third-largest insurer, was not required to report that breach within 60 days of the occurrence because it was well under the threshold of 500 individuals affected.
But, "we voluntarily notified HHS," said Jennifer Smith, general counsel for QCA's parent company, QualChoice. What followed was "a rigorous ...and unexpected investigation" that involved more than 40 witness interviews, Smith said.
"I've never seen anything like this in my career," Smith said. "I had never seen such an extensive investigation such as ours."
Smith said she expects that insurers, including ones who report breaches of fewer than 500 people, will face heightened scrutiny under OCR's new permanent audit program.
OCR, in a prepared statement, noted that although QCA "encrypted their devices following discovery of the breach, OCR's investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning form the compliance date of the Security Rules in April 2005 and ending in June 2012."
QCA said in its own prepared statement: "This settlement agreement is not an admission of any wrongdoing by QCA. QCA is committed to the privacy and security of its members' personal information and has strengthened safeguards to enhance the protection of their information, including encrypting all company laptops and mobile devices."
—By CNBC's Dan Mangan