A Hayden, Idaho-based hospice is the first health care organization to be fined for sustaining a breach that affected fewer than 500 individuals.

The Hospice of North Idaho (HONI) in Hayden will pay $50,000 to avoid more costly penalties if it would have been found in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

HONI’s settlement, reached last Friday, stems from a June 2010 incident when an unencrypted laptop containing the electronic protected health information (ePHI) of 441 patients was stolen from an employee’s vehicle.

In the past, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights, which enforces HIPAA, has gone after companies that experienced much larger breaches. This settlement is further indication, however, that the federal government is trying to make examples of all types of health care entities that lack suitable data security practices.

According to the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009, HIPAA-covered entities are required to report breaches of 500 or more individuals to the secretary of HHS and the media within 60 days of discovering the incident. Those organizations that suffer breaches affecting fewer than 500 people are only required to report the incident to the secretary annually.

Rachel Seeger, a spokeswoman for HHS, told SCMagazine.com on Friday in an email that ePHI contained on the HONI laptop included patient names, addresses, dates of birth, Social Security numbers, diagnoses, medications, lab results and other treatment information.

“This settlement is based on the longstanding pattern of non-compliance with the HIPAA Security Rule,” Seeger said of the landmark settlement. “HONI did not conduct an accurate and thorough risk analysis to the confidentiality of ePHI as part of its security management process from 2005 through Jan. 17, 2012.”

The hospice also failed to evaluate the likelihood or impact of potential risks to the confidentiality of ePHI maintained in or transmitted using portable devices, Seeger said.

In a Wednesday news release, Leon Rodriguez, director of the HHS Office for Civil Rights, said the $50,000 penalty stands as a looming reminder that organizations, both large and small, may face stiff consequences for disregarding standard security practices, like encrypting sensitive patient information. 

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information,” Rodriguez said. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

In March, BlueCross BlueShield (BCBS) of Tennessee reached a $1.5 million settlement with HHS after a 2009 breach that affected more than one million of its members.

In fall 2009, 576 unencrypted computer hard drives were stolen from a data storage closet in Chattanooga, Tenn., during a move to a new facility. The data included audio recordings of customer support calls and screen shots of what BCBS call center staff saw when handling the calls.

In a Friday interview with SCMagazine.com, Amanda Miller, director of community development at HONI, said all mobile devices used by hospice staff are currently encrypted.

“By the time OCR came to investigate us in May, we were up to compliance at that point,” Miller said. “We have encrypted [devices], we have very strict password enforcement, and have implemented scheduled HIPAA privacy security training for staff.”

HONI has also hired IT and HR professionals, whereas support in those areas was previously outsourced. To date, HONI is not aware of the lost patient information being used maliciously, Miller added.

The hospice entered into a “corrective action plan” with HHS, which requires the institution over the next two years to inform HHS, in writing and within 30 days, of any failure by staff to comply with HIPAA privacy and security rules.