A press release from the U.S. Department of Health and Human Services ("HHS") published on January 2, 2013 announced that the Department had reached its first settlement with a covered entity for a breach of the Health and Information Portability and Accountability Act ("HIPAA") Privacy Rule affecting fewer than 500 individuals. The settlement agreement with the Hospice of North Idaho ("HONI") was the result of an investigation into HONI's privacy practices initiated after the entity self-reported to the HHS Office of Civil Rights ("OCR") that a laptop containing the unencrypted electronic protected health information ("ePHI") of 441 individuals was stolen in June of 2010.
During its investigation, OCR found that HONI had failed:
• To conduct an adequate risk analysis of the unencrypted ePHI on portable devices that HONI used for the entity's field work;
• To subsequently adopt, implement, and maintain appropriate security measures to ensure the confidentiality of the ePHI on the portable devices that it used to create, maintain, and transmit the ePHI; and
• To document the decisions it made with regards to security measures.
As a result of the settlement, HONI agreed to pay HHS $50,000 and enter into a Correct Action Plan. While the settlement resolves the investigation under the privacy and security rule, it does not absolve HONI of liability under other provisions that may apply such as section 1177 of the Social Security Act for knowing or intentional releases of PHI.
For breaches involving 500 or more individuals, the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report the breach within 60 days after the discovery. Smaller breaches under 500 individuals, such as the one involving the settlement with HONI, must be reported to the Secretary on an annual basis.
Given the increased enforcement activity in the HIPAA area, providers are well advised to ensure that they have appropriate HIPAA privacy and security measures in place.