Data Breach, Education, HIPAA / HITECH Enforcement, OCR HIPAA Audits, Social Media

Small healthcare provider pays huge security fine after the theft of an unencrypted laptop

If you think your organization is too small to attract the attention of the U.S. Department of Health and Human Services, think twice.
The department recently settled a security dispute with a hospice in Idaho for $50,000. The potential violation of the Security Rule of the Health Insurance Portability and Accountability Act of 1996 involved a data breach of health information affecting 441 patients.

Mobile devices collage
The Hospice of North Idaho agreed to pay $50,000 to settle potential violations after an unencrypted laptop computer containing the electronic protected health information of the patients had been stolen in June 2010.
Field workers for the hospice use laptops containing patient information as a regular component of their workflow. In an investigation by the Department of Human Services’ Office for Civil Rights, it was revealed the hospice had not conducted a risk analysis to safeguard the electronic patient information and didn’t have policies or procedures to address mobile device security. The lack of a risk analysis has become a regular theme in the publicly available settlement agreements published by the OCR.
The HIPAA Security Rule and HITECH Act Data Breach requirements mandate the existence policies and the reporting of inappropriate or unauthorized access to PHI or ePHI called breaches. The Health Information Technology for Economic and Clinical Health Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information of 500 individuals or more to the government and the media within 60 days after the discovery of the breach, or when the breach should have been discovered. Smaller breaches affecting less than 500 individuals must be reported to the secretary of Health and Human Services on an annual basis.
“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information,” Office for Civil Rights Director Leon Rodriguez said in a press release from the Department of Health and Human Services. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.” RISC Management’s stance on encryption is that implementation has become easy enough, and cost has been reduced enough, that choosing not to implement encryption is difficult to justify. With the exception of “legacy systems” that were developed long before data encryption was readily available, there are few relational database platforms or operating systems that don’t support encryption today. And even for those systems, there are third party applications and technology that can implement encryption in such a manner that it both provides safe harbor, and, does not require the rewriting of legacy applications.
The Idaho hospice has taken steps to remedy its compliance since the 2010 theft.
The Department of Health and Human Services provides tips to physicians, health care providers and other healthcare professionals who use smartphones, laptops and tablets in their work here (visit
RISC Management and Consulting can help assess your encryption capabilities, identify supported encryption options, and assist you in implementing standards-based encryption that may provide safe harbor under the HITECH rules.

Education, Trends & Technology

Time for a Social Media Policy

Social networking

According to the Pew Research Center, social networking has spread around the world with remarkable speed. In countries such as Britain, the United States, Russia, the Czech Republic and Spain, about half of all adults now use Facebook and similar websites. These are among the key findings from a 21-nation survey conducted by the Pew Research Center’s Global Attitudes Project from March 17-April 20. The survey also finds that global public are sharing their views online about a variety of topics, especially popular culture.

On a similar note, the New York Times Blog Journal posted this headline “After an Outburst on Twitter, The Times Reinforces its Social Media Guidelines.” Here is a portion of the memo that went out to the staff of the Times: “First, we should always treat Twitter, Facebook and other social media platforms as public activities. Regardless of your privacy controls or the size of your follower list, anything you post online can easily be shared with a wider audience…Or, as the policy suggests elsewhere: When in doubt, ask yourself if a given action might damage The Times’s reputation. If so, it’s probably a bad idea.”  Written by Phil Associate Managing Editor.

There are a multitude of examples, with most of them involving healthcare! Be aware of the potential risks of using social media, and especially use caution when connecting with patients online.

Time for a social media policy or maybe update your existing policy to reflect social networking in the year 2013!

For help visit for more information or email