HIPAA settlement brings small covered entities into play

If you think HIPAA enforcements only happen to the "big guys" among healthcare providers, think again. The Department of Health & Human Services announced on Jan. 2 a financial settlement for a HIPAA breach involving fewer than 500 patients.

Hospice of North Idaho (HONI) will pay HHS $50,000 to settle potential HIPAA violations stemming from a 2010 incident, HHS officials said.

After an unencrypted company laptop containing the electronic protected health information (ePHI) of 441 patients had been stolen in June 2010, officials at the HHS Office for Civil Rights (OCR) began its investigation and found that HONI had not conducted adequate risk analysis to safeguard patient ePHI. 

“This action sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information,” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

HONI officials claim, however, that following its report to HHS, the group did develop a risk-assessment plan. According to a HONI press release, the group responded by encrypting all laptops, enhancing password protection, and offered HIPAA privacy and security training for staff. 

HONI also did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule, according to OCR officials. Since the June 2010 theft, HONI has taken extensive additional steps to improve its HIPAA privacy and security compliance program. Because these steps were taken, HONI officials will pay a settlement amount significantly less that the penalties originally imposed.

“The theft of the laptop was out of our hands, but the measures we have taken since then to ensure the security and privacy of our patients’ information have been numerous,” said Brenda Wild, board president at HONI. “We take this incident very seriously.”

The Health Information Technology for Economic and Clinical Health Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a breach of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting fewer than 500 individuals must be reported to the Secretary on an annual basis.