First HHS OCR Settlement for HIPAA Breach Involving Less Than 500 Patients Sends Message to Providers


On January 2, 2013, HHS announced that the Hospice of North Idaho (HONI) agreed to pay $50,000 and enter into a Corrective Action Plan (CAP) as part of a settlement involving a breach of unsecured electronic protected health information (ePHI).  This is the first settlement by the HHS Office for Civil Rights (OCR) involving a breach affecting less than 500 individuals.  HONI had self-reported to OCR in February 2011 that an unencrypted laptop containing ePHI of 441 patients was stolen in June 2010.  In response, OCR initiated an investigation into the breach.  OCR’s investigation indicated that HONI failed to conduct a risk analysis of the security of ePHI transmitted using portable devices and failed to adopt or implement sufficient measures to ensure the confidentiality of ePHI transmitted using portable devices “to a reasonable and appropriate level.”   According to HHS, HONI has taken substantial action since the theft to improve its HIPAA Privacy and Security compliance program.  Nonetheless, under the CAP, HONI is required to notify OCR in writing within 30 days of any instances in which the company determines that a member of its workforce has failed to comply with the company’s privacy and security policies and procedures.  The term of the CAP is two years.

HIPAA requires that breaches of unsecured PHI affecting 500 or more individuals be reported to the Secretary of HHS and the media within 60 calendar days after discovery of a breach.  Covered entities must also maintain a log of breaches of unsecured PHI affecting fewer than 500 individuals each year and must disclose such breaches annually to the Secretary of HHS no later than sixty days following the end of each calendar year.  This settlement sends the message to the healthcare industry that OCR is investigating even relatively smaller disclosed breaches of unsecured PHI to identify and penalize noncompliance with the HIPAA Privacy and Security Rules, and confirms OCR’s lack of tolerance for the storage of ePHI on unencrypted portable devices.  Covered entities should update their risk assessments and take those actions necessary to bring their organizations into compliance with the HIPAA Privacy and Security Rules.

A copy of the HHS press release is available here.  Click here for a copy of the Resolution Agreement between OCR and HONI. 

Reporter, Kate Stern, Atlanta, +1 404 572 4661,

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:


King & Spalding on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.