• HIPAA Settlement Meant to Be a Warning to Smaller Providers
  • March 26, 2013 | Author: David Dirr
  • Law Firm: Dressman Benzinger LaVelle psc - Crestview Hills Office
  • On January 2, 2013, the U.S. Department of Health and Human Services (HHS) announced its first settlement involving a breach of protected health information (PHI) affecting fewer than 500 individuals.  Under the terms of the settlement, Hospice of North Idaho (HONI) has agreed to pay HHS $50,000 to resolve potential violations of the HIPAA Privacy Rule.  The settlement arises from an incident that occurred in June 2010 in which an unencrypted laptop containing the electronic PHI of 441 patients was stolen.  HONI reported the breach to HHS pursuant to its duty under the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule, which requires covered entities to report breaches affecting less than 500 individuals to the Secretary of HHS on an annual basis.

    The press release announcing the settlement reveals that HONI likely made itself a target of an enforcement action by HHS after the agency discovered that HONI had not conducted a risk analysis to safeguard PHI and did not have policies to address mobile device security, which are required by HIPAA.  This settlement should serve as another reminder to healthcare providers of all sizes to develop policies and procedures to protect PHI before a breach occurs.  In this case, if HONI had spent the modest time and expense of encrypting the PHI on the laptop before it was stolen, HONI could have saved itself from the national notoriety bestowed on it by this settlement.

    A copy of the settlement can be found here:

    http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.pdf.