On January 2, 2013, HHS announced that the Hospice of North Idaho (HONI) agreed to pay $50,000 and enter into a Corrective Action Plan (CAP) as part of a settlement involving a breach of unsecured electronic protected health information (ePHI). This is the first settlement by the HHS Office for Civil Rights (OCR) involving a breach affecting less than 500 individuals. HONI had self-reported to OCR in February 2011 that an unencrypted laptop containing ePHI of 441 patients was stolen in June 2010. In response, OCR initiated an investigation into the breach. OCR’s investigation indicated that HONI failed to conduct a risk analysis of the security of ePHI transmitted using portable devices and failed to adopt or implement sufficient measures to ensure the confidentiality of ePHI transmitted using portable devices “to a reasonable and appropriate level.” According to HHS, HONI has taken substantial action since the theft to improve its HIPAA Privacy and Security compliance program. Nonetheless, under the CAP, HONI is required to notify OCR in writing within 30 days of any instances in which the company determines that a member of its workforce has failed to comply with the company’s privacy and security policies and procedures. The term of the CAP is two years.
HIPAA requires that breaches of unsecured PHI affecting 500 or more individuals be reported to the Secretary of HHS and the media within 60 calendar days after discovery of a breach. Covered entities must also maintain a log of breaches of unsecured PHI affecting fewer than 500 individuals each year and must disclose such breaches annually to the Secretary of HHS no later than sixty days following the end of each calendar year. This settlement sends the message to the healthcare industry that OCR is investigating even relatively smaller disclosed breaches of unsecured PHI to identify and penalize noncompliance with the HIPAA Privacy and Security Rules, and confirms OCR’s lack of tolerance for the storage of ePHI on unencrypted portable devices. Covered entities should update their risk assessments and take those actions necessary to bring their organizations into compliance with the HIPAA Privacy and Security Rules.
A copy of the HHS press release is available here. Click here for a copy of the Resolution Agreement between OCR and HONI.
Reporter, Kate Stern, Atlanta, +1 404 572 4661, kstern@kslaw.com.