On January 2, 2013, the U.S. Department of Health and Human Services (HHS) announced its first settlement involving a breach of protected health information (PHI) affecting fewer than 500 individuals. Under the terms of the settlement, Hospice of North Idaho (HONI) has agreed to pay HHS $50,000 to resolve potential violations of the HIPAA Privacy Rule. The settlement arises from an incident that occurred in June 2010 in which an unencrypted laptop containing the electronic PHI of 441 patients was stolen. HONI reported the breach to HHS pursuant to its duty under the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule, which requires covered entities to report breaches affecting less than 500 individuals to the Secretary of HHS on an annual basis.
The press release announcing the settlement reveals that HONI likely made itself a target of an enforcement action by HHS after the agency discovered that HONI had not conducted a risk analysis to safeguard PHI and did not have policies to address mobile device security, which are required by HIPAA. This settlement should serve as another reminder to healthcare providers of all sizes to develop policies and procedures to protect PHI before a breach occurs. In this case, if HONI had spent the modest time and expense of encrypting the PHI on the laptop before it was stolen, HONI could have saved itself from the national notoriety bestowed on it by this settlement.
A copy of the settlement can be found here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.pdf
David Dirr is an attorney at the Northern Kentucky office of Dressman Benzinger LaVelle and is a member of the firm’s healthcare and litigation practice groups. He is licensed to practice in Ohio, Kentucky, and Indiana. David concentrates his practice on the areas of Medicare and Medicaid reimbursement, anti-kickback law, the Stark law, and HIPAA.« Back to news