ACCforum: A Missing Link - ACCforum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

A Missing Link

#1 Guest_IDB_*

  • Group: Guests

Posted 29 November 2004 - 03:53 AM

well well, at long last, another missing link is found.
how the acc operates and frustrate claimants and their families
is not unique or by acident

have a look at this list

This is the institute, which connects WCBs, Insurance companies, big business and governments. This shows it goes far beyond Canadas provincial borders. This is the training ground for our problems.

This is their membership list. Wonder why New Zealand and Canada have similar problems?

WCRI Members / 2004

The following organizations support the research of WCRI.
Associate Members - State Labor Organization
Associate Members - Rating Organization
Associate Members - Public Sector United States
Associate Members - Public Sector International


Aon Risk Services, Inc.
ChevronTexaco Corporation
Crawford & Company
First Health Group Corporation
Gallagher Bassett Services, Inc.
General Mills, Inc.
GENEX Services, Inc.
George Weston Bakeries
The Home Depot
Ingenix, Inc.
J.C. Penney Company, Inc.
Levi Strauss & Co.
Marriott International, Inc.
Marsh, Inc.
Nordstrom, Inc.
Palmetto Hospital Trust
The Procter & Gamble Company
SBC Communications, Inc.
Sedgwick Claims Management Services, Inc.
Towers Perrin Reinsurance
United Parcel Service
U.S. HealthWorks
The Walt Disney Company
Wisconsin Manufacturing & Commerce


Accident Fund Insurance Company of America
American Insurance Association
American International Group
Bituminous Casualty Corporation
California State Compensation Insurance Fund
Chubb & Son, a division of Federal Insurance Company
Employers Mutual Casualty Company
Fireman's Fund Insurance Company
General Casualty Companies
General Reinsurance Corporation
The Hartford Insurance Group
Kentucky Employers' Mutual Insurance
Liberty Mutual Group
Max Re Ltd
Midwest Employers Casualty Company
Missouri Employers Mutual Insurance Company
Nationwide Insurance Group
New Hampshire Public Risk Management Exchange (Primex3)
New Jersey Manufacturers Insurance Company
The PMA Group
Preferred Employers Insurance Company
Property Casualty Insurers Association of America

The St. Paul Travelers Companies, Inc.

Texas Mutual Insurance Company
Washington Department of Labor & Industries
West Virginia Bureau of Employment Programs
Zenith Insurance Company
Zurich North America


ConAgra Foods, Inc.
Safeway, Inc.
Target Corporation
Weyerhaeuser Company

Associate Members – State Labor Organization

California Correctional Peace Officers Association
The Center to Protect Workers' Rights
Missouri AFL-CIO
National Tertiary Educators Union
New Hampshire AFL-CIO
New York State AFL-CIO
Tennessee AFL-CIO

Associate Members – Rating Organization

Compensation Advisory Organization of Michigan
Massachusetts Workers' Compensation Rating & Inspection Bureau
Minnesota Workers' Compensation Insurers Association
North Carolina Rate Bureau
Pennsylvania Compensation Rating Bureau
Wisconsin Compensation Rating Bureau

Associate Members – Public Sector United States

Arkansas Workers' Compensation Commission
California Commission on Health and Safety and Workers' Compensation
California Department of Insurance
California Division of Workers' Compensation
Colorado Department of Labor and Employment - Workers' Compensation Division
Connecticut Workers' Compensation Commission
District of Columbia Office of Workers' Compensation
Florida Department of Financial Services
Georgia State Board of Workers' Compensation
Illinois Industrial Commission
Iowa Division of Workers' Compensation
Kansas Department of Human Resources/Division of Workers' Compensation
Kentucky Department of Workers' Claims
Louisiana Office of Workers' Compensation Administration
Maine Bureau of Insurance
Maine Workers' Compensation Board
Massachusetts Department of Industrial Accidents
Massachusetts Division of Health Care Finance & Policy
Massachusetts State Rating Bureau, Division of Insurance
Massachusetts Human Resources Division, Workers' Compensation Section
Michigan Workers' Compensation Agency
Minnesota Department of Labor and Industry
Missouri Division of Workers' Compensation
Montana Department of Labor & Industry
Nebraska Workers' Compensation Court
New Jersey Compensation Rating & Inspection Bureau
New Mexico Workers' Compensation Administration
New York State Workers' Compensation Board
North Carolina Industrial Commission
Oklahoma Workers' Compensation Court
Oregon Department of Consumer & Business Services
Pennsylvania Department of Labor and Industry
Rhode Island Department of Labor and Training
Tennessee Department of Labor
Texas State Office of Risk Management
Texas Workers' Compensation Commission
United States Department of Labor
Vermont Department of Labor & Industry
Virginia Workers' Compensation Commission
Washington Board of Industrial Insurance Appeals
Wisconsin Department of Workforce Development

Associate Members – Public Sector International

Alberta Workers' Compensation Board
British Columbia Workers' Compensation Board
Canada Association of Workers' Compensation Boards
Comcare Australia
Department for Administrative & Information Services (South Australia)
Manitoba Workers' Compensation Board
New Brunswick Workplace Health, Safety and Compensation Commission
New Zealand Accident Compensation Corporation
Ontario Workplace Safety and Insurance Board
Q-COMP (WorkCover Queensland)
Québec Commission de la Santé et de la Sécurité du Travail
Saskatchewan Workers' Compensation Board
Transport Accident Commission
Victorian WorkCover Authority
WorkCover Authority of New South Wales
WorkCover Corporation (South Australia)
WorkCover Western Australia
Workers' Compensation (Dust Diseases) Board
Yukon Workers' Compensation Health and Safety Board

#2 User is offline   fairgo 

  • Advanced Member
  • PipPipPip
  • Group: Members
  • Posts: 290
  • Joined: 15-September 03

Posted 29 November 2004 - 08:19 AM

Well well well.... what have we here?? The pieces are falling into place aren't they.....

#3 User is offline   Accme 

  • Newbie
  • Pip
  • Group: Members
  • Posts: 0
  • Joined: 16-September 03

Posted 29 November 2004 - 12:00 PM

Your "WOOFER" would be proud of you fairgo, sniffing this out :lol:

#4 User is offline   doppelganger 

  • Advanced Member
  • PipPipPip
  • Group: Members
  • Posts: 1740
  • Joined: 19-September 03

Posted 29 November 2004 - 03:20 PM

yes this does give us a direct link to most of the insurers in the world. Bet that things will start to move a bit faster now.

#5 User is offline   doppelganger 

  • Advanced Member
  • PipPipPip
  • Group: Members
  • Posts: 1740
  • Joined: 19-September 03

Posted 05 December 2004 - 08:30 PM

The Impact of Initial Treatment by Network Providers on Workers' Compensation Medical Costs and Disability Payments
This abstract is from the Workers Compensation Research Institute (WCRI)

An increasing percentage of workers receive treatment for their work-related injuries and illnesses within workers’ compensation medical networks.

Advocates of networks contend that directing injured workers to network providers helps contain costs because of their specialized knowledge of occupational injuries, familiarity with administrative reporting requirements and objectivity with the disability aspects of the case. In addition, some maintain that early involvement with network providers can reduce medical and indemnity costs by both:

increasing the likelihood that subsequent care will be provided within a network, and
exercising some continuing influence over treatment decisions and facilitating return to work based on decisions made during the initial visit.
Critics, on the other hand, argue that networks may seek to contain medical costs by offering fewer services and thereby may negatively affect the quality of care for injured workers, lengthening the duration of disability and increasing income benefit payments.

The report addresses two central questions:

Does care by network providers reduce medical costs without increasing income benefit payments?
Is the first visit an important leverage point in determining the impact that a network might have?
The quality and accessibility of medical care are not directly measured in this study. WCRI is undertaking studies that will examine the affect of medical networks on worker satisfaction, health and functioning, and return to work – important dimensions of medical care for injured workers.

Major findings:

WCRI found that workers’ compensation medical networks are generally associated with much lower medical costs: 16 to 46 percent lower if the injured worker is treated exclusively by network providers and up to 11 percent lower if the worker is treated predominately, but not exclusively by network providers.
Lower network medical costs do not increase indemnity benefit costs.
The impact of the first non-emergency visit to a workers’ compensation network provider is significant: It is the single largest factor that determines continuing care by network providers. For workers who saw a network provider at their initial visit, network penetration rates (the percent of total medical payments paid to network providers) were, on average, 24 to 67 percentage points higher when compared to claims that involved a non-network provider at the initial visit.

The Impact of Initial Treatment by Network Providers on Workers’ Compensation Medical Costs and Disability Payments. Sharon E. Fox, Richard A. Victor, Xiaoping Zhao. August 2001. DM-01-01.

#6 User is offline   doppelganger 

  • Advanced Member
  • PipPipPip
  • Group: Members
  • Posts: 1740
  • Joined: 19-September 03

Posted 05 December 2004 - 08:43 PM

Workers Compensation Fraud


Try this quick quiz: The extent of Fraud in Workers Compensation is:

a) Rampant
B) Not really as big an issue as everyone thinks it is
Answer: Who knows?

This article considers strategic and technological developments in workers compensation fraud management which may lead to more effective resource allocation as well as more accurate identification and quantification of fraud. As with most workers compensation initiatives in the last decade, a majority of information and research on fraud management comes from the US. Topics covered include:

Types of fraud in workers compensation
US Anti-Fraud Initiatives and their impact
US Fraud Awareness Campaigns
US Insurer Fraud Initiatives
Australian Fraud Management Issues

#7 User is offline   doppelganger 

  • Advanced Member
  • PipPipPip
  • Group: Members
  • Posts: 1740
  • Joined: 19-September 03

Posted 05 December 2004 - 08:59 PM

Injury Reporting
By Anne Engleman (January 2003)

"Oh, come on mate, I've had a bad back for 20 years and it never stopped me from working!""Look out mate, you might lose your job if you put in a compo claim.""Ah, it's nothing, she'll be right in a day or two."

These comments epitomise some of the reasons workers do not report workplace injuries: Culture, Fear and the John Wayne Syndrome. The Early Reporting mantra is slowly sinking in as far as employers reporting workplace injuries to their insurers. But this is the second part of the injury reporting process. What about the first part - workers reporting injuries to their employers? This is the critical part! The faster a worker reports an injury, the faster treatment can commence, and the faster the worker can recover and return to productivity. This article looks at nine reasons for why workers delay reporting injuries and provides suggestions on how employers can remove the barriers.

read this and especially take note in what happens when you delay the reporting of injury. Costs go up

More articles are on http://www.injurynet...icles.cfm#fraud

#8 User is offline   doppelganger 

  • Advanced Member
  • PipPipPip
  • Group: Members
  • Posts: 1740
  • Joined: 19-September 03

Posted 05 December 2004 - 10:06 PM

and just a little bit more

Presenteeism and Productivity

May 20, 2004
By: Marybeth Stevens
Business and Health

Presenteeism and Productivity
Jump to: Choose article section...BankOne: Integrating resourcesThe Hartford: Evolution of a programPolk County: Onsite medical, pharmacy services

Three companies showcase different approaches to addressing reduced productivity in the workplace.

By Marybeth Stevens, MS, CDMS, CCM, CRC
Employee health is a bottom-line issue with a straight-line connection to a company's profitability. Companies have realized lower costs, reduced absences and improved morale through disability management and return-to-work programs that ease ill and injured workers back into their jobs as quickly as medically feasible. Efforts, however, have not stopped there.

Companies continue to focus on employee health and wellness with innovative strategies that help bolster productivity. These initiatives bring together various experts and services, from disability managers to occupational health nurses and Employee Assistance Program (EAP) professionals. Their efforts are aimed at absence management, seeking to reduce the number and duration of unplanned employee absences due to illness, injury, or a personal or family problem. The next step, which companies are beginning to take, is to tackle presenteeism — helping employees who are at work to be the most productive possible. That means addressing the health, psychological and personal issues that distract employees and reduce their productive work hours.

The strategies used are as varied as the problems themselves. Some companies offer wellness and prevention to help employees deal with chronic health problems such as diabetes, hypertension, obesity and asthma. Others offer limited counseling and access to experts through EAP services to address personal, family, financial or legal problems. Rather than targeting only one aspect of employee productivity, the programs tend to be integrated, providing solutions to complex productivity issues in the workplace.

This article will explore the efforts of three employers to address absence management and presenteeism:

BankOne — The sixth largest bank in the U.S. with approximately 70,000 employees (prior to proposed acquisition by J.P. Morgan).
The Hartford — The country's second largest group disability carrier with 28,000 employees.
Polk County, Florida — Covering the Polk County Board of Commissioners and all of its offices (including sheriff's, clerk of the court, tax collector, supervisor of election and property) with 4,300 employees.
BankOne: Integrating resources
At Chicago-based BankOne, employee health and wellness programs have focused sharply on two major productivity issues: reducing disability and keeping employees productive at work. "Disability is the end game," explained Wayne Burton, MD, senior vice president and corporate medical director for BankOne. "What you want to do is develop programs and services to avoid employees becoming disabled, and to have programs in place to help them come back to work quickly and stay at work."

As part of this effort, BankOne has decided to manage internally its short-term disability and Family Medical Leave Act (FMLA) absences under the umbrella of its health management services/corporate medical director's office. This allows the company to devote diverse yet complementary resources — from EAP counselors to occupational nurses — toward the goals of avoiding disability and reducing absences. While the corporate medical department focuses on the health issues that cause absenteeism and reduced productivity at work, the EAP emphasizes the psychological and personal aspects, from childcare or eldercare concerns to the need for short-term psychological counseling.

"Normally short-term disability is handled by an external vendor. It's a silo, and there is very little interaction with the corporate medical department," Burton said.

By managing short-term disability internally, BankOne can offer assistance to employees to help them return to work, stay at work, and be the most productive as possible while at work.

In practice, for example, this means that an employee who has been on short-term disability because of diabetes will have assistance from an occupational health nurse to help educate him or her about wellness and blood sugar monitoring. Or, an employee who has been off work due to mental-health issues such as depression will have assistance from occupational health nurses and the clinical psychologists from the EAP program.

This integrated approach allows BankOne to amplify the benefits of its programs. By addressing health and personal issues that cause short-term disability, the company can also help prevent productivity losses due to presenteeism.

An important component of the programs is disease management, targeting issues such as hypertension, diabetes, asthma, obesity and even prenatal health and pregnancy issues. "It's more than just screening. It's calling employees back and assisting them, giving them the guidance they need to talk to their doctors about their health concerns," Burton added.

The results of its efforts are impressive. BankOne participated in a major benchmarking study in 2002/2003, comparing it with peer banks. "We turned out to be best in class when we looked at short-term disability costs, long-term disability costs, days out of work and so forth," Burton said. "I believe that is because of the integrated way we look at disability. The benefits weren't the issue; they were about the same among the banks. It was really about how the people are managed."

The Hartford: Evolution of a program
The Hartford has undergone an evolution in its thinking about employee disability, preventing absences and improving productivity, which is reflected in its internal programs (the company is self-insured) and the programs it offers its customers.

Carol Harnett, National Practice Leader of The Hartford's Group Disability and Life Practices, traces the changes back to 1993. In the wake of the passage of the Americans with Disabilities Act (ADA), The Hartford began embracing an "ability philosophy" that focuses on what people could do, not what they couldn't do because of a disability or other limitation.

Based in Connecticut, The Hartford in 1997 became one of the of the first companies to integrate worker's compensation and disability insurance, bringing together the reporting and managing of cases whether they were occupational or non-occupational. Job modifications and temporary assignments for workers' compensation cases were also made available to those who suffered an illness or injury away from work.

In 2001, The Hartford began to look more closely at the inter-relationship between medical and disability costs. The impetus was a national study that showed about 11 percent of employees at a typical company accounted for 53 percent of all medical costs. "That meant, if a company could get to the root causes, it could address about half of its medical costs," Harnett said.

Studying its workers' compensation and disability cases, The Hartford found that 24 percent were due to musculo-skeletal problems. That prompted the company to invest resources in ergonomics and onsite medical and fitness services. The scope broadened from those employees who had suffered injuries to a broader population with an eye toward prevention.

The wellness-prevention theme runs through The Hartford's programs as it tackles health issues such as diabetes, asthma and obesity. "We are not unlike the rest of the U.S. Our employees are gaining weight year after year, just like the rest of the U.S., in which about 65 percent of the American population meets the definition of being overweight or obese," Harnett explained.

To raise awareness about the problem and to promote fitness, The Hartford has launched internal initiatives and external programs such as becoming the first U.S. corporation to sponsor the U.S. Paralympics, a member of the U.S. Olympic Committee that provides opportunities and funding for athletes with physical disabilities to compete at the Olympic level. "The connection between health and fitness is important to us. There is a connection between how employees take care of themselves and what the company's medical/disability experience is," Harnett observed.

In 2002, The Hartford took what Harnett calls its "biggest step toward understanding why people are out of work," by integrating the reporting of FMLA absences with workers' compensation and disability. "Whether I'm off due to illness, injury or because my mother is sick, I can call a single 800-number. Even though the case is handled one of three ways, I only have to call one number — and the absences are all tracked together." In addition, when an employee calls in to report an FMLA absence, he or she can be reminded of EAP services available either onsite or telephonically, which can help get employees back to work and stay productive on the job.

Based on the company's experience, as well as the coverage it offers, Harnett offered a three-point guideline. The first step, she explained, is to look at plan design and how it has evolved. Second, understand the interrelationship between medical and disability experiences and costs. Third, look beyond limiting or eliminating coverage to cut costs to consider more proactive solutions.

"If a company can do those three things, it will address not only the absenteeism issue, but also presenteeism," Harnett said. "There's one thing that must be understood about presenteeism: it's a continuum."

Polk County: Onsite medical, pharmacy services
When Michael S. Kushner first went to work for Polk County, Florida, in 1994 as director of risk management, one of the first things he saw was a lack of integration in employee health issues. Physical exams for employment were done in one place. Workers' compensation cases were treated at another. And there was no connection between workers' compensation and disability.

Polk County brought together employee health and wellness under one roof — literally, through its Occupational Health and Wellness Center, which handles everything from pre-employment physicals and drug screenings to wellness initiatives for employees on topics such as smoking cessation and diabetes management.

"Our goal in opening the health and wellness center for county employees was not only to provide education about their personal health, but also to provide employees an integrated approach — whether the issue stems from a worker's compensation event or a disability claim or a health and wellness issue," Kushner added.

To complement the health and medical center, Polk County decided to add onsite pharmacy services to increase the efficacy of patient medications and reduce medical costs. One of the reasons, Kushner explained, was an increase in employee co-pay on prescriptions, which led some employees not to fill prescriptions or to take their medicines less frequently to reduce refills. When medicine is not taken as prescribed, however, employee health is compromised.

Starting in November 2002, a pharmacist has been onsite at Polk County offices three days a week, counseling employees and their families about their prescriptions and drug issues, including over-the-counter medications and herbal supplements that they might be taking. The pharmacist looks at possible drug-interactions or duplications, and may consult with physicians about more effective drugs.

"Through the onsite pharmacy, we've been able to address patient safety and realize better impact on the outcome of overall patient care, from the onset of a condition to drug therapy. That means better outcomes and lower hospitalization costs," Kushner explained.

An initial review of the onsite pharmacy showed favored results, including a 3-to-1 return on investment, he added.

The onsite medical and pharmacy centers address employee needs across the spectrum, from emergency care to chronic conditions and prevention. The onsite medical department also handles triage in workers' compensation cases, including securing a speedy referral to specialists or other care providers.

As ill or injured employees recover, they are eligible for the active transitional duty program that is open to all workers, whether the incident was job-related or non-occupational. "We've studied all the employee job descriptions and we have designed 75 legitimate transition duty jobs that employees can do no matter where they work. These are valid jobs that contribute something to the county, to help the productivity of the organization," Kushner added.

At the heart of it all is the onsite medical center, bolstered by the onsite pharmacy, which Kushner sees as a means for employees to "filter their health concerns, and all their privacy is protected." In addition, the center also allows the employer to offer prevention programs, including incentives to meet personal health goals.

"We're certainly able to justify a lot of the cost of the program through hard dollar savings," Kushner observed. "Beyond that, you really have to sell it as a leap of faith. You have this intuitive sense that something will work. You have to have people who will believe in this concept between health and wellness and prevention."

As these case studies illustrate, addressing the health, wellness and personal/family needs of employees will not only reduce absences, but also help workers be more productive on the job. By integrating the initiatives, maximum benefits can be derived with a focus on common, bottom-line goals: improving the health of employees and the productivity of the organization.

Marybeth Stevens, MS, CDMS, CCM, CRC, is the Chair of the Certification of Disability Management Specialists Commission (CDMSC), the only nationally accredited organization that certifies disability management specialists. For more information on the CDMSC and its certification, please see the website at . Ms. Stevens is also the leader for delivery of Workplace Absence and Disability Management Programs for General Electric Co., managing the operations for GE's U.S. disability program.


More Business & Health Articles About This Topic:

Bringing Health to the Bottom Line (Jun. 15, 2003)

The Real Measure of Productivity (Nov. 1, 1999)


Resource Links:

Certification of Disability Management Specialists Commission (CDMSC)

#9 User is offline   hukildaspida 

  • Advanced Member
  • PipPipPip
  • Group: Member
  • Posts: 3353
  • Joined: 24-August 07

Posted 19 May 2014 - 02:56 PM

Here's a link to Concentra Health Services that is mentioned in post #1 of this topic.

Are all laptops/ portable electronic devices that staff & contracted agents use & take home all encrypted?

If not, why not?

If so, how long have they been encrypted for?

Theft of unencrypted laptops leads to two HHS settlements totaling nearly $2 million

Perkins Coie LLP
Dean W. Harvey, Anastasia K. Anderson and David B. Robbins
April 30 2014


On April 22, the U.S. Department of Health and Human Services (HHS) announced settlements with both Concentra Health Services (Concentra) and QCA Health Plan, Inc. (QCA).
Through these latest settlements, HHS is reiterating its message to covered entities and business associates that laptops and similar devices containing electronic protected health information (ePHI) should be encrypted. HHS also put the industry on notice that any entity self-reporting a security breach should not expect much leniency.

Concentra Security Breach

In December 2011, Concentra self-reported to HHS’s Office of Civil Rights (OCR) that an unencrypted laptop containing names, Social Security numbers, and pre-employment work fitness test results for 870 patients was stolen from one of its physical therapy centers.

HHS determined that “Concentra identified in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information was a critical risk.” The last Concentra project report in October 2008 indicated that about 73% of Concentra’s laptops were encrypted. Unfortunately, Concentra took an inventory and began encrypting all remaining unencrypted devices seven months after the security breach. Thus, the encryption process was viewed as being untimely.

Although it was not mentioned in the Resolution Agreement, HHS may have also considered the fact that this was the second unencrypted laptop containing ePHI that Concentra lost to theft. The first was stolen in November 2009 and included ePHI for 900 patients. So this theft also occurred after the risk was identified and after an earlier recommendation from the project to encrypt laptops.

As a result of its investigation, HHS determined that

Concentra failed to adequately remediate and manage its identified lack of encryption or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption, if reasonable and appropriate, from October 27, 2008, until June 22, 2012 . . . (see 45 C.F.R. § 164.312(a)(2)(iv)) . . . [and] Concentra did not sufficiently implement policies and procedures to prevent, detect, contain, and correct security violations under the security management process standard when it failed to adequately execute risk management measures to reduce its identified lack of encryption to a reasonable and appropriate level from October 27, 2008 . . . until June 22, 2012 . . . (see 45 C.F.R. § 164.308(a)(1)(i)).

Concentra Resolution Agmt. 1.

QCA Security Breach

QCA self-reported on February 21, 2012 that an unencrypted laptop containing ePHI of 148 individuals was stolen from the car of a member of QCA’s workforce. Unlike Concentra, there is no indication that QCA had previously identified its unencrypted laptops as a security risk.

Perhaps this failure to identify the risk is the basis for the HHS investigation determining that

QCA did not implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI it held, and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 C.F.R. § 164.306 from the compliance date of the Security Rule to June 18, 2012.

QCA Resolution Agmt. 1 (emphasis added). In addition, the HHS investigation determined that QCA failed to implement physical safeguards for all workstations that access ePHI to restrict access to authorized users.

The Settlements

Without admitting liability, Concentra agreed to pay $1.7 million to settle the potential HIPAA violations, or about $1,954 per record affected by the breach. QCA, also without admitting liability, agreed to pay $250,000 to settle the potential HIPAA violations, or about $1,689 per record affected by the breach.

These penalties do not reflect the true cost of either settlement. Both Concentra and QCA were required to agree to two-year corrective action plans.

The Concentra Corrective Action Plan (CAP) is the more onerous of the two and provides that

Concentra must provide to HHS (within four months, and then at the one-year and two-year marks):
A risk analysis including a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all Concentra ePHI.
A risk management plan that explains Concentra’s strategy for implementing security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level, including the following:
Material evidence of all implemented and planned remedial actions associated with the risk management plan.
For all planned remediation, specific timelines for expected completion and identification of interim measures to safeguard Concentra’s ePHI.

Concentra must also provide, when applicable, an updated risk analysis and risk management plan for any changes or updates to its organizational information technology (IT) infrastructure (security environment) that affects risk to its ePHI.

HHS retains the right to specify required changes to such plans.

Concentra is obligated to promptly implement the security management process, including any applicable training.
In addition to the required risk analyses and risk management plans, Concentra must provide an update to HHS regarding the status of its encryption efforts, including:
The percentage of all devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) that are encrypted.
Evidence that all new devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) have been encrypted.
An explanation for why the remaining devices and equipment are not encrypted.
A breakdown of the percentage of encrypted devices and equipment for each specific Concentra facility and worksite.

On the same schedule, Concentra must confirm that all workforce members have completed security awareness training and must include all materials used for the training, a summary of the topics covered, the length of the session(s), and a schedule of when the session(s) were held.

On the same schedule, Concentra must summarize for HHS the status of its implementation of the obligations of the CAP, including an attestation by a Concentra officer as to the implementing report’s accuracy and that Concentra has complied with the CAP.

Finally, Concentra must also submit attested annual reports with respect to the status of and findings regarding Concentra’s compliance with the CAP for each year of the CAP.

The QCA CAP contains similar but less burdensome requirements. QCA needs to provide a risk analysis and risk management plan once, meet similar training requirements, and report any reportable events. There is no obligation to submit repeated risk analyses and risk mitigation plans and no obligation to submit encryption status reports or implementation plans.


The settlements in question suggest that the investment in time and resources to comply with the CAPs may significantly exceed the out-of-pocket monetary penalties. Susan McAndrew, OCR’s deputy director of health information privacy, made the intended message behind these penalties clear in her statement released with the settlement announcement: “Covered entities and business associates must understand that mobile device security is their obligation. Our message to these organizations is simple: encryption is your best defense against these incidents.” This message is likely driven by the fact that theft of mobile devices (e.g., laptops) was the top cause of HIPAA security breaches in 2013 representing 45% of total reported incidents involving over 83% of unsecured ePHI improperly disclosed. See Redspin, Inc., Breach Report 2013: Protected Health Information (Feb. 2014), available here.

It is less clear why HHS made the QCA CAP so much less burdensome than the Concentra CAP. Regardless, it is clear that HHS is keen on covered entities’ expending whatever resources are needed to encrypt mobile devices and will mete out substantial punishment for failure to do so—punishment that will combine cash and continuing, burdensome administrative obligations to protect ePHI (and mollify an unhappy agency).

Information Technology,
Perkins Coie LLP

View original |
| Print
| Read Later

If you are interested in submitting an article to Lexology, please contact Andrew Teague at [email protected]
Related USA articles

We have seen this movie before .. and we all should know that it does not end well. *
More stolen laptops, and the parade of HIPAA settlements continues *
OCR levies nearly $2 million in HIPAA fines for stolen unencrypted laptops *
New HIPAA settlements show OCR’s focus on encryption *
OCR levies nearly $2 million in fines for stolen unencrypted laptops *

More articles »
Popular articles from this firm

”Lexology is a useful and informative tool. I keep copies of relevant articles and often forward them to colleagues. Although I do not know all of the authors/firms, by reading their articles I do gain an understanding of...

Don Sangster
Legal Department Administrator
Jovian Capital Corporation

Share this topic:

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users