On January 2, 2013, the US Department of Health and Human Services (HHS) announced a settlement with Hospice of North Idaho (HONI) for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement is significant because it is the first settlement involving a breach of electronic protected health information (ePHI) affecting fewer than 500 patients.
The HHS Office for Civil Rights (OCR) investigated HONI's report that an unencrypted laptop computer containing the ePHI for approximately 450 patients was stolen in June 2010. The OCR determined that HONI had not conducted a thorough risk analysis to ensure the confidentiality of ePHI. Additionally, HONI did not have policies and procedures in place to ensure the security of mobile devices as required by the HIPAA Security Rule.
Under the Resolution Agreement, HONI agreed to pay HHS $50,000. In addition to the financial settlement, HONI entered into a two-year Corrective Action Plan (CAP). Under the CAP, HONI must:
Notify the OCR in writing within 30 days of determining a workforce member has failed to comply with privacy and security policies. The notice must include:
A complete description of the event, including the relevant facts, the persons involved and the provisions of the privacy and security policies and procedures implicated; and
A description of the actions taken and further steps HONI plans to take to address the matter, mitigate harm and prevent it from recurring, including the application of sanctions against workforce members who fail to comply with privacy and security policies and procedures.
Notify the OCR in writing within 30 days of the expiration of the CAP if no reportable events occur within the two-year plan period.
Additionally, HONI is required to maintain all documents and records relating to CAP compliance for six years from the effective date of the agreement.
While mobile devices provide employers with an effective and efficient way to conduct business, it is prudent for employers to ensure they have appropriate policies and procedures in place that address security of such devices. The OCR launched a new educational initiative that offers health care providers and organizations practical tips on ways to protect ePHI when using mobile devices.
Employee Benefits > Health Information and Privacy