First-of-its-kind HIPAA settlement announced, Idaho hospice group to pay

$50,000 fine levied for breach involving fewer than 500 patients

In what's been billed as the first HIPAA breach settlement involving fewer than 500 patients, Hospice of North Idaho will pay the Department of Health and Human Services $50,000 to settle potential HIPAA violations stemming from a 2010 incident, HHS officials announced Wednesday. 

After an unencrypted company laptop containing the electronic protected health information of 441 patients had been stolen in June 2010, officials at the HHS Office for Civil Rights began its investigation and found that HONI had not conducted adequate risk analysis to safeguard patient ePHI.  
 
[See also: Indiana HIPAA breach involves 29,000.]
 
“This action sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information,” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”
 
HONI officials claim, however, that following its report to HHS, the group did develop a risk assessment plan. According to a HONI press release, the group responded by encrypting all laptops, enhancing password protection, and offered HIPAA privacy and security training for staff.  
 
HONI also did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule, according to OCR officials. Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA privacy and security compliance program. Because these steps were taken, HONI officials will pay settlement significantly less that the penalties originally imposed. 
 
“The theft of the laptop was out of our hands, but the measures we have taken since then to ensure the security and privacy of our patients’ information have been numerous,” said Brenda Wild, board president at HONI. “We take this incident very seriously.”
 
[See also: U of Michigan Health System, Omnicell report patient data breach.]
 
The Health Information Technology for Economic and Clinical Health Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a breach of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting fewer than 500 individuals must be reported to the Secretary on an annual basis.