Data Breach – Page 9 – RISC Management and Consulting

HHS announces first HIPAA breach settlement involving less than 500 patients

The Hospice of North Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This is the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals.

The investigation conducted by the HHS Office for Civil Rights (OCR) followed a breach report submitted by HONI as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act reporting the theft of a laptop computer containing the electronic protected health information (ePHI) of 441 patients. Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI. Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

This settlement is noteworthy as many Covered Entities and Business Associates have assumed that there are so many large data breaches occurring regularly, and posted on the OCR’s breach website, that they would be relatively safe or go unnoticed if smaller breaches were to occur. This landmark settlement once again provides ample time and warning to organizations that a Risk Analysis, Policies, and supporting Procedures were an important determining factor in assessing a fine. If your organization encounters health information related to an individual, you must perform a risk analysis, develop policies and supporting procedures, train the members of your workforce, and assess the success of your privacy and security programs. It costs an organization far more to endure an investigation, settlement, fine, and to have to put controls in place under the monitoring of the OCR and a third party, than to have done so proactively.

RISC Management can assist your organization with its initial, or periodic HIPAA risk analysis, with statements of policy, and with supporting procedures and control mechanisms. Visit http://www.riscsecurity.com/#!healthcare/c1iwz for more information.

The Press Release can be found on the HHS News page: http://www.hhs.gov/news/press/2013pres/01/20130102a.html and Resolution Agreement can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.html.

On March 29th, 2012, according to the California Department of Child Support Services, the records of more than 800,000 individuals may have been lost by their service providers IBM and, ironically by way of their blog post, Iron Mountain. The statement by DCSS indicates that storage devices used for data backups cannot be found, and there ultimate whereabouts are unknown. The data fields included on the lost devices include a great deal of critical information including: Names, addresses, Social Security Numbers, drivers license numbers, names of health insurance providers, and employment information.

The data loss event should be specially noted because of the strict data protection and breach notification requirements in the State of California such as Cal. Civ. Code §§ 56.06, 1785.11.2, 1798.29, 1798.82.

This loss of backup devices underscores the critical importance of encrypting backup devices including tapes and hard drives.

To view the Breach notification letter that was sent out, please visit: http://oag.ca.gov/ecrime/databreach/reports/sb24-22855

For assistance in choosing and implementing encryption technology, please contact RISC Management http://www.RISCsecurity.com 630.264.1472