A recent HHS statement  emphasizes the need for encryption, citing two recent OCR settlement agreements that totaled nearly $2 million as examples of the dangers posed by unencrypted devices in healthcare. Unencrypted computers and mobile devices pose a significant security risk for organizations because patient PHI is incredibly vulnerable if one of these devices in stolen or hacked.
OCR’s $1,725,220 resolution agreement with Concentra Health Services, a national healthcare company, for potential HIPAA violations stemming from the theft of an unencrypted laptop computer highlights the importance of encryption.
An OCR investigation revealed that during several risk analyses Concentra identified that its lack of encryption was a security threat. Although the organization took steps to encrypt its devices, its efforts were inconsistent and incomplete. Concentra failed to implement sufficient policies and procedures to detect and correct security violations by failing to execute appropriate risk management measures to reduce the lack of encryption, according to the resolution agreement .
Similarly, OCR agreed to a $250,000 monetary settlement with Arkansas-based QCA Health Plan, Inc., following an incident involving the theft of an unencrypted laptop containing PHI from a workforce member’s car. The health plan began its effort to encrypt its devices following the breach, but failed to comply with a multitude of HIPAA Privacy and Security Rule requirements from April 2005 to June 2012, according to the HHS statement. Much like Concentra, QCA Health Plan also failed to implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting a thorough risk assessment, according to the resolution agreement. 
Encryption is the best defense for covered entities and business associates, Susan McAndrew, OCR’s deputy director of health information privacy, said in the statement.