Hospice Organization Settles HIPAA Breach Involving Less Than 500 Patients

The Department of Health and Human Services (HHS) announced that the Hospice of North Idaho (HONI) agreed to pay $50,000 to settle possible violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This settlement is the first involving a breach of unprotected electronic protected health information (ePHI) affecting less than 500 individuals.

HONI reported to HHS that an unencrypted laptop computer containing ePHI of 441 patients was stolen in June 2010, prompting the HHS Office for Civil Rights (OCR) to conduct an investigation. OCR discovered that HONI did not conduct risk analyses or establish policies and procedures to address mobile device security, safeguards that are requirements of the HIPAA Security Rule.

OCR and HHS have launched a new educational initiative called Mobile Devices: Know the Risks. Take the Steps. Protect and Secure Health Information to offer health care providers and organizations strategies to protect their patient’s health information when using mobile devices.

The press release can be found on the HHS website at:
http://www.hhs.gov/news/press/2013pres/01/20130102a.html.

The Resolution Agreement for HONI can be found on the OCR website at:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.pdf.

Department of Health and Human Services. “HHS Announces First HIPAA Breach Settlement Involving Less Than 500 Patients.” News Release. 2 Jan. 2013