First HIPAA Settlement Involving a Smaller Breach
On January 2, 2013, the federal Department of Health and Human Services (HHS) announced the first HIPAA breach settlement involving less than 500 patients. The Hospice of North Idaho (HONI) agreed to pay $50,000 and enter into a "corrective action plan" with HHS's Office for Civil Rights. The corrective action plan requires that, for the next two years, HONI must report to HHS within 30 days if any workforce member fails to comply with HONI's privacy and security policies.
This matter started with the theft of an unencrypted laptop in June of 2010. The laptop contained protected health information of 441 patients. The entity does not appear to have been penalized for the breach itself. Instead, the settlement relates to the Office for Civil Rights' investigation that found that HONI had not conducted a risk analysis regarding the security of electronic protected health information, and did not have policies or procedures in place to address mobile device security.