On January 2, 2013 The Department of Health and Human Services (“HHS”) announced that it had entered into a Resolution Agreement with Hospice of North Idaho (“HONI”) to settle alleged HIPAA violations resulting from the theft of an unencrypted laptop computer containing the electronic personal health information of 441 patients. This is the first HHS settlement involving the breach of protected health information (“PHI”) involving fewer than 500 individuals.
After being notified by HONI of the stolen laptop, the HHS Office Civil Rights (“OCR”) conducted an investigation and concluded the following:
- HONI did not conduct an accurate and thorough risk analysis as required by the HIPAA Security Rule, especially with respect to an evaluation of the likelihood and impact of potential risks to the confidentiality of electronic PHI maintained in and transmitted by portable devices.
- HONI did not have in place police or procedures to address the security of PHI stored or transmitted in portable electronic devices.
In entering into the Resolution Agreement, HONI agreed to pay $50,000 and enter into two-year corrective action plan with HHS. A copy of the Resolution Agreement can be found at: http://www.hhs.gov.privacy/hipaa/enforcement/examples/honi-agreement.pdf.
Although this case is unique in that it is the first settlement by HHS of a data breach involving fewer than 500 individuals, the facts that gave rise to the action by HHS are all too familiar. The breach resulted from the theft of an unencrypted laptop and HHS was troubled by the provider’s alleged lack of a risk analysis and appropriate policies and procedures to protect PHI stored in or transmitted by portable electronic devices. In this era of increased HIPAA enforcement, covered entities and business associates must remain vigilant in their HIPAA compliance efforts. This includes, without limitation, (i) conducting thorough risk assessments, (ii) developing and updating robust HIPAA policies and procedures, and (iii) conducting ongoing HIPAA training and awareness programs with all staff. In essence, affected entities must create what OCR has often referred to as a “culture of compliance.” Moreover, emphasis should be placed on the use and safeguards of portable electronic devices, which, as in this case, are frequently at the center of a data breach.