January 3, 2013

First HIPAA Settlement Involving a Smaller Breach

Holland & Knight Privacy Blog
Shannon Britton Hartsfield

On January 2, 2013, the federal Department of Health and Human Services (HHS) announced the first HIPAA breach settlement involving less than 500 patients.  The Hospice of North Idaho (HONI) agreed to pay $50,000 and enter into a "corrective action plan" with HHS's Office for Civil Rights. The corrective action plan requires that, for the next two years, HONI must report  to HHS within 30 days if any workforce member fails to comply with HONI's privacy and security policies.

This matter started with the theft of an unencrypted laptop in June of 2010. The laptop contained protected health information of 441 patients.  The entity does not appear to have been penalized for the breach itself. Instead, the settlement relates to the Office for Civil Rights' investigation that found that HONI had not conducted a risk analysis regarding the security of electronic protected health information, and did not have policies or procedures in place to address mobile device security. 

Related Blog
Cybersecurity and Privacy Blog
Related Practices
Data Strategy, Security & Privacy Technology Healthcare & Life Sciences
Related Industries
Technology & Telecommunications Healthcare & Life Sciences
Subscribe to Updates and Events
Click to Sign Up

Related Insights