HHS has announced its first HIPAA breach settlement involving less than 500 patients. The announcement came on January 2, 2013 following a disclosure by the provider, Hospice of North Idaho. The facts involved the theft of an unencrypted stolen laptop that contained ePHI for 441 individuals. HHS found that the provider did not do a sufficient analysis of the risk to confidentiality of ePHI after the new rule went into effect and did not have in place appropriate policies or security measures to ensure the confidentiality of ePHI. To settle the matter, the provider agreed to pay HHS $50,000 and enter into a corrective action plan. More information about the settlement, including the settlement agreement can be found at this link on the HHS website.
This settlement shows that HHS takes breach notifications seriously. At the same time, it appears that HHS will be open to entering reasonable settlement agreements to resolve this type of breach. Mostly this demonstrates what we all know: don’t put ePHI on unencrypted laptops or other mobile devices. For more information, contact Dave Schoolcraft, Lee Kuo or Casey Moriarty.