In a first of its kind settlement, a non-profit medical facility in Idaho will pay the U.S. Department of Health and Human Services (HHS) $50,000 for HIPAA violations surrounding potential exposure of patient information.
The settlement is the first involving a breach of electronic protected health information affecting fewer than 500 individuals.
“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez in an HHS press release published Wednesday.
In February 2010, Hospice of North Idaho (HONI) reported to HHS that an unencrypted laptop containing information on 441 patients was stolen from inside an employee’s car.
An OCR investigation found that HONI had no policies or procedures in regard to mobile device security as required by HIPAA. Additionally, HONI had never done any type of electronic protected health information risk analysis.
The laptop was never recovered.
When a breach impacts more than 500 individuals, companies are required to notify all major media outlets in their state, as well as the government. A notice is included on the Department of Health and Human Services Web site in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act.
For breaches that affect fewer than 500 people, organizations keep a log that is turned in to the Secretary of Health and Human Services annually.
In addition to the fine, the December 28th agreement includes a two-year corrective action plan that mandates that the facility immediately report any future breaches to HHS.
“The theft of the laptop was out of our hands, but the measures we have taken since then to ensure the security and privacy of our patients’ information have been numerous,” Brenda Wild, Hospice of North Idaho Board President said in a written statement.
Since the incident, the facility has increased security on any equipment that contains patient information, including encryption and increased password protection, and scheduled security training.
HONI’s staff of more than 100 people is North Idaho’s only inpatient hospice facility. The organization serves members of the community regardless of their ability to pay.
photo by DeclanTM/flickr