On January 2, 2013, the U.S. Department of Health and Human Services (HHS) announced a settlement agreement with The Hospice of North Idaho(HONI), under which HONI agreed to pay HHS $50,000 and enter into a corrective action plan. This marks the first HHS settlement concerning a breach of unsecured electronic protected health information (ePHI)
affecting less than 500 individuals.
As required under 45 C.F.R. Section 164.408, HONI notified the HHS Office for Civil Rights (OCR) following the theft of a laptop containing unencrypted ePHI of 441 individuals. This triggered an OCR investigation of the matter. OCR noted that laptops containing ePHI are regularly used by HONI personnel as part of their field work. OCR also found that since the theft, “HONI has taken extensive additional steps to improve [its] HIPAA Privacy and Security compliance programs.” However, over the course of the investigation, OCR also found two things that presumably led to the $50,000 payment and corrective action plan:
• HONI, the hospice provider, had failed to conduct a risk analysis to safeguard the ePHI; and
• HONI had not implemented policies or procedures to address mobile device security.
According to OCR Director Leon Rodriguez, “[t]his action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” [Emphasis supplied.] Mr. Rodriguez also took this opportunity to encourage use of encryption: “[e]ncryption is an easy method for making lost information unusable, unreadable and undecipherable.”
There are several take-home messages from this settlement. First, providers who are not HIPAA compliant at the time of a breach of unsecured ePHI should expect to pay substantial amounts to the government. Second, post-breach corrective actions may not prevent this, though clearly these should be taken (and could favorably affect the amount a provider ultimately has to pay). Third, small providers should not expect a pass. Finally, encryption procedures should be implemented where feasible; this action could ultimately save a lot of time and headache, both for the provider and individuals otherwise affected by a breach, not to mention substantial amounts that that a provider may otherwise have to spend in penalties or settlement.
Click here for HHS Press Release.
Please click the link below to read the full alert.