Hospice to Pay $50,000 to Settle HIPAA Breach Case
A nonprofit hospice in Idaho will pay $50,000 to the Department of Health and Human Services to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA).
The Hospice of North Idaho (HONI) and the agency reached the settlement following an investigation into the theft of an unencrypted laptop computer and the potential exposure of 441 patients’ electronic protected health information (ePHI).
The HHS received notice of the June 2010 laptop theft from HONI in February 2011. A subsequent investigation by the HHS Office for Civil Rights (OCR) determined the hospice had not conducted a risk analysis to safeguard ePHI. In addition, the hospice didn’t have the required policies or procedures in place to address mobile device security.
Under the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule, covered entities must alert the HHS secretary and media within 60 days of the discovery a breach involving more than 500 individuals. Breaches involving fewer individuals must be reported to the secretary annually.
The hospice says it has identified and contacted potentially affected patients, offering them credit monitoring. It also has hired information technology and human resources personnel to replace the outsourced services in place at the time of the theft, according to a statement.
“The theft of the laptop was out of our hands, but the measures we have taken since then to ensure the security and privacy of our patients’ information have been numerous,” says Hospice of North Idaho Board President Brenda Wild. “We take this incident very seriously.”
The HONI settlement is the first involving a breach of unsecured ePHI affecting fewer than 500 individuals, according to the HHS statement.
You can read the resolution agreement here: www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.pdf
Posted: January 9, 2013