HHS announces first HIPAA breach settlement involving less than 500 patients
The Hospice of North Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This is the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals.
The investigation conducted by the HHS Office for Civil Rights (OCR) followed a breach report submitted by HONI as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act reporting the theft of a laptop computer containing the electronic protected health information (ePHI) of 441 patients. Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI. Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.
This settlement is noteworthy as many Covered Entities and Business Associates have assumed that there are so many large data breaches occurring regularly, and posted on the OCR’s breach website, that they would be relatively safe or go unnoticed if smaller breaches were to occur. This landmark settlement once again provides ample time and warning to organizations that a Risk Analysis, Policies, and supporting Procedures were an important determining factor in assessing a fine. If your organization encounters health information related to an individual, you must perform a risk analysis, develop policies and supporting procedures, train the members of your workforce, and assess the success of your privacy and security programs. It costs an organization far more to endure an investigation, settlement, fine, and to have to put controls in place under the monitoring of the OCR and a third party, than to have done so proactively.
RISC Management can assist your organization with its initial, or periodic HIPAA risk analysis, with statements of policy, and with supporting procedures and control mechanisms. Visit http://www.riscsecurity.com/#!healthcare/c1iwz for more information.
The Press Release can be found on the HHS News page: http://www.hhs.gov/news/press/2013pres/01/20130102a.html and Resolution Agreement can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.html.