Data Breach, HIPAA / HITECH Enforcement, News Events, OCR HIPAA Audits

HHS OCR Fine: The First for a Breach of Fewer Than 500 Patients – Industry Take Note

HHS announces first HIPAA breach settlement involving less than 500 patients

The Hospice of North Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  This is the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals.

The investigation conducted by the HHS Office for Civil Rights (OCR) followed a breach report submitted by HONI as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act reporting the theft of a laptop computer containing the electronic protected health information (ePHI) of 441 patients.  Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI.  Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule.  Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

This settlement is noteworthy as many Covered Entities and Business Associates have assumed that there are so many large data breaches occurring regularly, and posted on the OCR’s breach website, that they would be relatively safe or go unnoticed if smaller breaches were to occur. This landmark settlement once again provides ample time and warning to organizations that a Risk Analysis, Policies, and supporting Procedures were an important determining factor in assessing a fine. If your organization encounters health information related to an individual, you must perform a risk analysis, develop policies and supporting procedures, train the members of your workforce, and assess the success of your privacy and security programs. It costs an organization far more to endure an investigation, settlement, fine, and to have to put controls in place under the monitoring of the OCR and a third party, than to have done so proactively.

RISC Management can assist your organization with its initial, or periodic HIPAA risk analysis, with statements of policy, and with supporting procedures and control mechanisms. Visit!healthcare/c1iwz for more information.

The Press Release can be found on the HHS News page:  and Resolution Agreement can be found on the OCR website at

Education, HIPAA / HITECH Enforcement, Meaningful Use

HITECH Meaningful Use – The Past is not Behind Us

ImageMany healthcare providers have said goodbye to HITECH’s meaningful use stage 1 to pursue the stage 2 requirements.  However, the future is not a stranger to its predecessor, requiring a better realization of concepts and metrics of many standards in stage 1.

Stage 1 was the beginning of HITECH’s transformative approach to health care, requiring movement to electronic health records (EHRs) and more efficient transmission and use of the EHRs, which is proving to be beneficial to patients and their care as evidenced by the ease of e-prescribing.  To ensure continuous progress of realizing the vision of greater health information effectiveness, care providers must continue to raise the bar and push for increasing processes such as e-prescribing and introducing processes that share care information with other relative providers while still maintaining the privacy and security standards for patient information.

This stage also solidifies new requirements such as bringing patient health records to the world of internet accessibility and giving the patients greater insight into their own health information.  This increases the potential risks for the providers despite the convenience and usefulness of the program as a whole.  Incurring this additional risk will require organizations to perform additional risk analysis to stay in front of the threats and ensure that best practices are followed while encrypting information in storage and transit as well as working with clients to raise awareness of information security.

Stage 2 will bring a new planning phase, but also a new cycle in the life of what should be a living process.  If you are struggling to optimize your process, let RISC Management help you maximize the potential of meaningful use stage 1 while developing a secure plan and foundation for the new requirements in stage 2.Image

Sponsored by: RISC Management,