The Department of Health and Human Services’ Office for Civil Rights (“HHS OCR“) announced today that it was, for the first time, entering into a monetary HIPAA settlement for a breach involving less than 500 patients: the Hospice of North Idaho (HONI) has agreed to pay HHS OCR $50,000 to settle potential HIPAA security rule violations.
HHS OCR began its investigation after HONI reported to it that an unencrypted laptop computer containing the electronic protected health information (“ePHI”) of 441 patients had been stolen in June 2010. Laptops containing ePHI are regularly used by the organization as part of their field work. Over the course of the investigation, HHS OCR learned that HONI had not conducted a risk analysis of how to safeguard ePHI. Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA security rule.
In describing the resolution, HHS OCR Director Leon Rodriguez stated:
This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information. Encryption is an easy method for making lost information unusable, unreadable and undecipherable.
The intent of this action is unmistakable: to turn up the heat on HIPAA covered entities that have not yet encrypted all their portable devices.