By Alex Ruoff
A small nonprofit hospice organization in Idaho has agreed to pay $50,000 to the Department of Health and Human Services to settle allegations of federal data security rule violations over the loss of a laptop containing the personal health information of 441 patients, HHS announced Jan. 2.
The settlement is the first involving a breach of protected health information affecting fewer than 500 individuals under the Health Insurance Portability and Accountability Act Security Rule, HHS said.
The Hospice of North Idaho reported to the HHS Office for Civil Rights that an unencrypted laptop containing electronic health information had been stolen in June 2010, HHS said.
OCR fined the hospice organization after it discovered the organization had not conducted a security risk analysis, as required by the HIPAA Security Rule, to safeguard the electronic patient health information and did not have in place policies or procedures to address mobile device security, HHS said.
Of particular concern, the Hospice of North Idaho did not evaluate the likelihood or impact of potential risks to the confidentiality of the electronic health information it maintained on portable devices, Rachel Seeger, a spokeswoman for OCR, told BNA in an email.
The hospice also did not implement security measures to address the risk of losing patient health information or maintain a process for managing that risk, she said.
The settlement is a signal to covered entities that even relatively small organizations can be fined for failing to comply with HIPAA security standards, Leon Rodriguez, director of OCR, said in a release.
“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information,” Rodriguez said. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”
Since discovering the loss of the laptop, the Hospice of North Idaho has begun improving its HIPAA compliance program, HHS said.
The Hospice of North Idaho has a staff of roughly 100 and an annual budget of more than $8.8 million, according to tax records for the Hayden, Idaho-based entity.
The Hospice of North Idaho has entered into a two-year corrective action plan with HHS as part of the settlement.
In the plan, the hospice agreed to report to HHS if an employee fails to comply with the organization's new privacy and security procedures.
The corrective action plan between OCR and the Hospice of North Idaho is at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.pdf.