For Lawyers | Log In | Join | Upload
WORKING... advanced

HHS Announces First HIPAA Breach Settlement Involving Fewer Than 500 Patients

more+
less-
by
Tracy Morley
Tracy Morley  
|  XpertHR - Partnered with LexisNexis Contact

On January 2, 2013, the US Department of Health and Human Services (HHS) announced a settlement with Hospice of North Idaho (HONI) for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement is significant because it is the first settlement involving a breach of electronic protected health information (ePHI) affecting fewer than 500 patients.

The HHS Office for Civil Rights (OCR) investigated HONI's report that an unencrypted laptop computer containing the ePHI for approximately 450 patients was stolen in June 2010. The OCR determined that HONI had not conducted a thorough risk analysis to ensure the confidentiality of ePHI. Additionally, HONI did not have policies and procedures in place to ensure the security of mobile devices as required by the HIPAA Security Rule.

Under the Resolution Agreement, HONI agreed to pay HHS $50,000. In addition to the financial settlement, HONI entered into a two-year Corrective Action Plan (CAP). Under the CAP, HONI must:

  • Notify the OCR in writing within 30 days of determining a workforce member has failed to comply with privacy and security policies. The notice must include:
    • A complete description of the event, including the relevant facts, the persons involved and the provisions of the privacy and security policies and procedures implicated; and
    • A description of the actions taken and further steps HONI plans to take to address the matter, mitigate harm and prevent it from recurring, including the application of sanctions against workforce members who fail to comply with privacy and security policies and procedures.
  • Notify the OCR in writing within 30 days of the expiration of the CAP if no reportable events occur within the two-year plan period.

Additionally, HONI is required to maintain all documents and records relating to CAP compliance for six years from the effective date of the agreement.

While mobile devices provide employers with an effective and efficient way to conduct business, it is prudent for employers to ensure they have appropriate policies and procedures in place that address security of such devices. The OCR launched a new educational initiative that offers health care providers and organizations practical tips on ways to protect ePHI when using mobile devices.

Additional Resources

Employee Benefits > Health Information and Privacy

Topics:  Data Breach, Data Protection, HHS, HIPAA, HONI, Mobile Devices, OCR, PHI, Settlement

Published In: Health Law Updates, Privacy Updates, Science, Computers & Technology Updates

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© XpertHR - Partnered with LexisNexis | Attorney Advertising

×

Expand Your Reach

JD Supra gets your content noticed, increases your visibility and makes your marketing efforts hassle free...

Learn More  or  Schedule a demo

Start a limited-feature trial account (individuals only).