Feds step up HIPAA enforcement with hospice settlement

Share this article:

A Hayden, Idaho-based hospice is the first health care organization to be fined for sustaining a breach that affected fewer than 500 individuals.

The Hospice of North Idaho (HONI) in Hayden will pay $50,000 to avoid more costly penalties if it would have been found in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

HONI's settlement, reached last Friday, stems from a June 2010 incident when an unencrypted laptop containing the electronic protected health information (ePHI) of 441 patients was stolen from an employee's vehicle.

In the past, the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights, which enforces HIPAA, has gone after companies that experienced much larger breaches. This settlement is further indication, however, that the federal government is trying to make examples of all types of health care entities that lack suitable data security practices.

According to the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009, HIPAA-covered entities are required to report breaches of 500 or more individuals to the secretary of HHS and the media within 60 days of discovering the incident. Those organizations that suffer breaches affecting fewer than 500 people are only required to report the incident to the secretary annually.

Rachel Seeger, a spokeswoman for HHS, told SCMagazine.com on Friday in an email that ePHI contained on the HONI laptop included patient names, addresses, dates of birth, Social Security numbers, diagnoses, medications, lab results and other treatment information.

“This settlement is based on the longstanding pattern of non-compliance with the HIPAA Security Rule,” Seeger said of the landmark settlement. “HONI did not conduct an accurate and thorough risk analysis to the confidentiality of ePHI as part of its security management process from 2005 through Jan. 17, 2012.”

The hospice also failed to evaluate the likelihood or impact of potential risks to the confidentiality of ePHI maintained in or transmitted using portable devices, Seeger said.

In a Wednesday news release, Leon Rodriguez, director of the HHS Office for Civil Rights, said the $50,000 penalty stands as a looming reminder that organizations, both large and small, may face stiff consequences for disregarding standard security practices, like encrypting sensitive patient information. 

Page 1 of 2
Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.