HHS announces first HIPAA breach settlement involving less than 500 patients

The Hospice of North Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  This is the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals.

The investigation conducted by the HHS Office for Civil Rights (OCR) followed a breach report submitted by HONI as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act reporting the theft of a laptop computer containing the electronic protected health information (ePHI) of 441 patients.  Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI.  Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule.  Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

A new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information, has been launched by OCR and the HHS Office of the National Coordinator for Health Information Technology (ONC) that offers health care providers and organizations practical tips on ways to protect their patients’ protected health information when using mobile devices such as laptops, tablets, and smart phones.  For more information, tips, and steps on protecting and securing health information when using a mobile device visit www.HealthIT.gov/mobiledevices.

 

Learn more about the settlement:  http://www.hhs.gov/news/press/2013pres/01/20130102a.html

Resolution Agreement:

 

Share this in :
  •  
  •  
  •  
  •  
The following two tabs change content below.
Our mission is to assist healthcare organizations and business associates in the development, design, and implementation of practices to secure IT systems and comply with HIPAA/HITECH privacy, security, breach and enforcement rules by protecting patient health information.

Subscribe for Updates