Small Data Breach Leads to $50,000 HHS Settlement for Hospice


In what HHS declares as “the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals,” the Office for Civil Rights (OCR) reached a $50,000 settlement and two-year corrective action plan with the Hospice of Northern Idaho regarding the theft of a hospice laptop containing health information of 441 patients. (Only in the world of HIPAA can you have “unprotected … protected” information.) OCR’s press release, continuing a recent trend, emphasized the importance of encrypting mobile devices, conducting a risk analysis, and implementing policies and procedures to address mobile device security.

The press release also emphasizes that OCR is willing to take aggressive actions against entities of any size that fail to safeguard patient information. The $50,000 resolution amount, though, is far below the average of approximately $900,000, suggesting that the size of the organization will play a much larger role than the nature of the incident when determining settlement amounts. For example, OCR recently reached a settlement of $100,000 with a small physician practice for an allegedly widespread lack of information security safeguards, while it reached a $1.5 million settlement with a larger hospital over a relatively small breach and more narrow information security issues.

OCR reportedly has received tens of thousands of small breach reports since the interim final breach notification rule’s compliance date of September 2009. This appears to be the first of such breach reports that has led to a settlement. It begs the question of whether other types of small breaches will lead to settlements, such as cases of employee “snooping.”

One final note is that of OCR’s 11 settlements related to HIPAA, this is the fifth from Region X (Seattle). Although there are 10 OCR regional offices, 45 percent of the settlements have come from the Seattle regional office.


Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.