By Alex Ruoff
A small nonprofit hospice organization in Idaho has agreed to pay $50,000 to the Department of Health and Human Services to settle allegations of federal data security rule violations over the loss of a laptop containing the personal health information of 441 patients, HHS announced Jan. 2.
The settlement is the first involving a breach of protected health information affecting fewer than 500 individuals under the Health Insurance Portability and Accountability Act Security Rule, HHS said.
The Hospice of North Idaho reported to the HHS Office for Civil Rights that an unencrypted laptop containing electronic health information had been stolen in June 2010, HHS said.
OCR fined the hospice organization after it discovered the organization had not conducted a security risk analysis, as required by the HIPAA Security Rule, to safeguard the electronic patient health information and did not have in place policies or procedures to address mobile device security, HHS said.
Of particular concern, the Hospice of North Idaho did not evaluate the likelihood or impact of potential risks to the confidentiality of the electronic health information it maintained on portable devices, Rachel Seeger, a spokeswoman for OCR, told BNA in an email.
The hospice also did not implement security measures to address the risk of losing patient health information or maintain a process for managing that risk, she said.
The settlement is a signal to covered entities that even relatively small organizations can be fined for failing to comply with HIPAA security standards, Leon Rodriguez, director of OCR, said in a release.
“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information,” Rodriguez said. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”
Since discovering the loss of the laptop, the Hospice of North Idaho has begun improving its HIPAA compliance program, HHS said.
The Hospice of North Idaho has a staff of roughly 100 and an annual budget of more than $8.8 million, according to tax records for the Hayden, Idaho-based entity.
The Hospice of North Idaho has entered into a two-year corrective action plan with HHS as part of the settlement.
In the plan, the hospice agreed to report to HHS if an employee fails to comply with the organization's new privacy and security procedures.
The corrective action plan between OCR and the Hospice of North Idaho is at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.pdf.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).