HHS announces first HIPAA breach settlement involving less than 500 patients

1269437_laptop_and_cellphone[1].jpgA single unencrypted laptop computer containing electronic protected health information (ePHI) cost The Hospice of North Idaho (HONI) $50,000. HONI agreed to pay the U.S. Department of Health and Human Services (HHS) a $50,000 fine to settle potential breaches of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

HONI regularly used laptops in field work. However, according to HHS, HONI did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI posed by mobile devices on an on-going basis as part of its security management process in violation of HIPAA. HONI also failed to implement security measures sufficient to ensure the confidentiality of ePHI that it created, maintained and transmitted using portable devices, another alleged HIPAA breach. In addition to the fine, HHS required HONI to enter into a corrective action plan.

The HONI settlement is notable as the first settlement of an alleged HIPAA violation based on breach of ePHI affecting fewer than 500 individuals. The government discovered in its investigation that HONI simply failed to conduct any risk assessment to safeguard ePHI and failed to have policies and procedures to address mobile devices. Leon Rodriquez, the Director of the HHS Office for Civil Rights, explained: “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”

It is critical for medical practices and other health care businesses that mobile devices, such as smart phones, laptops and tablets, be included in their HIPAA risk assessment and compliance process. Being small is no insulation for a health care provider from the risks associated with HIPAA violations, a reality underscored by this HHS announcement. All providers should obtain a risk assessment and regularly review and document their HIPAA policies and procedures.

Kevin Little is an Augusta and Atlanta business lawyer whose practice is focused on health care issues. He is “AV” rating by Martindale Hubbell (its highest rating). Our firm has offices in Atlanta and Augusta, Georgia. You can contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 to arrange a consultation.

Source: HHS News Release

*Disclaimer: Thoughts shared here do not constitute legal advice.

Posted in:

Comments are closed.

Contact Information