The Office for Civil Rights (OCR) which is part of the U.S. Department of Health and Human Services (HHS) opened compliance reviews for stolen unencrypted laptop computers. The OCR compliance review of Concentra Health Services was related to receipt of a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield, Mo., Physical Therapy Center. The OCR investigation revealed that Concentra had previously recognized in multiple risk analyses a critical risk due to a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI). Although steps were taken to begin encryption, the investigation found that Concentra's efforts were deficient and inconsistent over time, leaving identifiable patient protected health information (PHI) vulnerable throughout the organization. The OCR's investigation further found Concentra had insufficient security management processes in place to safeguard patient information. Additionally, the OCR received another breach notice in February 2012 involving the QCA Health Plan of Arkansas. The report was that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from a workforce member's car. Although QCA corrected the situation by encrypting its devices following the discovery of the breach, the OCR's investigation revealed that QCA failed to comply with multiple HIPAA requirements beginning from the compliance date of the security rule in April 2005 and ending in June 2012.In November 2021, 30 data breaches of 10, 000 or more medical records were reported and 4 of those resulted in the exposure or theft of more than 100,000 records. The worst breach involved exposure of 582,170 records by hackers into an imaging center. (HIPAA Journal at https://www.hipaajournal.com/november-2021-healthcare-data-breach-report/)

1. Most PT practices and health care systems use electronic medical records (EMRs). Describe the advantages and the risks of using EMRs and technical devices, such as laptops, tablets, and phones, in the delivery of healthcare. What safety measures are reasonable for practices, providers, and healthcare systems to use to reduce the risk of theft or unauthorized access to protected health information?