Health Law: Hospice pays $50,000 for Failing to Conduct HIPAA Security Risk Assessment; Inadequate Security Policies


A small non-profit hospice in Idaho agreed to pay $50,000 to settle allegations that it violated the HIPAA security regulations. The allegations stemmed from a report made to HHS by the hospice after a laptop containing protected health information of 441 patients was stolen. The information on the laptop was not encrypted making the loss of the laptop a reportable breach. After investigating the breach, OCR fined the hospice for failing to have a risk assessment as required by the HIPAA security regulations and policies and procedures addressing mobile device security. The settlement is a lesson to all providers, large and small, that failing to implement and update HIPAA security policies and procedures can have significant repercussions. Providers should routinely conduct security risk assessments and update their HIPAA security policies and procedures  as needed to ensure they adequately address identified risks.