Published on: | by

HHS Announces First Settlement for Breach of HIPAA Privacy Rule Involving Fewer Than 500 Individuals

A press release from the U.S. Department of Health and Human Services (“HHS”) published on January 2, 2013 announced that the Department had reached its first settlement with a covered entity for a breach of the Health and Information Portability and Accountability Act (“HIPAA”) Privacy Rule affecting fewer than 500 individuals. The settlement agreement with the Hospice of North Idaho (“HONI”) was the result of an investigation into HONI’s privacy practices initiated after the entity self-reported to the HHS Office of Civil Rights (“OCR”) that a laptop containing the unencrypted electronic protected health information (“ePHI”) of 441 individuals was stolen in June of 2010.

During its investigation, OCR found that HONI had failed:

• To conduct an adequate risk analysis of the unencrypted ePHI on portable devices that HONI used for the entity’s field work;
• To subsequently adopt, implement, and maintain appropriate security measures to ensure the confidentiality of the ePHI on the portable devices that it used to create, maintain, and transmit the ePHI; and
• To document the decisions it made with regards to security measures.

As a result of the settlement, HONI agreed to pay HHS $50,000 and enter into a Correct Action Plan. While the settlement resolves the investigation under the privacy and security rule, it does not absolve HONI of liability under other provisions that may apply such as section 1177 of the Social Security Act for knowing or intentional releases of PHI.

For breaches involving 500 or more individuals, the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report the breach within 60 days after the discovery. Smaller breaches under 500 individuals, such as the one involving the settlement with HONI, must be reported to the Secretary on an annual basis.

Given the increased enforcement activity in the HIPAA area, providers are well advised to ensure that they have appropriate HIPAA privacy and security measures in place.

For more information on this issue, please contact Abby Pendleton, Esq. or Jessica Gustafson, Esq. at (248) 996-8510 or visit the HLP website.

Contact Information
Detroit
32000 Northwestern Hwy #240
Farmington Hills, MI 48334
P (248) 996-8510 F (248) 996-8525

The Health Law Partners, P.C.

New York City
15 W 38th St 4th Floor #735
New York, NY 10018
P (212) 734-0128 F (917) 210-2952

The Dresevic, Iwrey, Kalmowitz & Pendleton Law Group A Division of The Health Law Partners, P.C.

This is an attorney advertisement.

We serve the following localities: Alpena County, Alpena, Bay County, Auburn, Bay City, Essexville, Pinconning, Berrien County, Benton Harbor, Berrien Springs, Buchanan, Coloma, Niles, St. Joseph, Stevensville, Watervliet, Calhoun County, Albion, Battle Creek, Marshall, Charlevoix County, Boyne City, Charlevoix, East Jordan, Cheboygan County, Cheboygan, Crawford County, Grayling, Eaton County, and Bellevue. [ View More ]

This is an attorney advertisement.

Branding by Zoyes Creative

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please do not include any confidential or sensitive information in a contact form, text message, or voicemail. The contact form sends information by non-encrypted email, which is not secure. Submitting a contact form, sending a text message, making a phone call, or leaving a voicemail does not create an attorney-client relationship.

Copyright © 2024, The Health Law Partners, P.C.
JUSTIA Law Firm Blog Design