A Hayden, Idaho-based hospice is the first health care organization to be fined for sustaining a breach that affected fewer than 500 individuals.
The Hospice of North Idaho (HONI) in Hayden will pay $50,000 to avoid more costly penalties if it would have been found in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
HONI's settlement, reached last Friday, stems from a June 2010 incident when an unencrypted laptop containing the electronic protected health information (ePHI) of 441 patients was stolen from an employee's vehicle.
In the past, the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights, which enforces HIPAA, has gone after companies that experienced much larger breaches. This settlement is further indication, however, that the federal government is trying to make examples of all types of health care entities that lack suitable data security practices.
According to the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009, HIPAA-covered entities are required to report breaches of 500 or more individuals to the secretary of HHS and the media within 60 days of discovering the incident. Those organizations that suffer breaches affecting fewer than 500 people are only required to report the incident to the secretary annually.
Rachel Seeger, a spokeswoman for HHS, told SCMagazine.com on Friday in an email that ePHI contained on the HONI laptop included patient names, addresses, dates of birth, Social Security numbers, diagnoses, medications, lab results and other treatment information.
“This settlement is based on the longstanding pattern of non-compliance with the HIPAA Security Rule,” Seeger said of the landmark settlement. “HONI did not conduct an accurate and thorough risk analysis to the confidentiality of ePHI as part of its security management process from 2005 through Jan. 17, 2012.”
The hospice also failed to evaluate the likelihood or impact of potential risks to the confidentiality of ePHI maintained in or transmitted using portable devices, Seeger said.
In a Wednesday news release, Leon Rodriguez, director of the HHS Office for Civil Rights, said the $50,000 penalty stands as a looming reminder that organizations, both large and small, may face stiff consequences for disregarding standard security practices, like encrypting sensitive patient information.