Health Law: Hospice pays $50,000 for Failing to Conduct HIPAA Security Risk Assessment; Inadequate Security Policies


A small non-profit hospice in Idaho agreed to pay $50,000 to settle allegations that it violated the HIPAA security regulations. The allegations stemmed from a report made to HHS by the hospice after a laptop containing protected health information of 441 patients was stolen. The information on the laptop was not encrypted making the loss of the laptop a reportable breach. After investigating the breach, OCR fined the hospice for failing to have a risk assessment as required by the HIPAA security regulations and policies and procedures addressing mobile device security. The settlement is a lesson to all providers, large and small, that failing to implement and update HIPAA security policies and procedures can have significant repercussions. Providers should routinely conduct security risk assessments and update their HIPAA security policies and procedures  as needed to ensure they adequately address identified risks.

Topics:  Data Protection, HIPAA, Medical Records, OCR, PHI, Risk Assessment

Published In: Consumer Protection Updates, Health Updates, Privacy Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Brown Law Firm | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »