On January 2, 2013, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $50,000 settlement with Hospice of North Idaho (“HONI”) for a breach that affected 441 individuals. This action is notable because prior HHS enforcement actions relating to breaches have involved a greater number of affected individuals (for example, the first breach-related enforcement action in March 2012 affected more than 1 million). The Health Information Technology for Economic and Clinical Health (“HITECH”) Breach Notification Rule sets 500 as a threshold number of affected individuals triggering certain notification requirements such as the obligation to notify HHS within 60 days of discovery of the breach.
The HONI settlement relates to the theft of a laptop containing electronic protected health information (“ePHI”) in June 2010. Following the submission of a breach report to the HHS Office for Civil Rights (“OCR”), an investigation determined that HONI had not complied with HIPAA Security Rule requirements, including by failing to complete a risk analysis or implement sufficient risk management measures to “ensure the confidentiality of ePHI that it created, maintained, and transmitted using portable devices to a reasonable and appropriate level.”
Pursuant to the resolution agreement, HONI has agreed to pay $50,000 to HHS to settle the potential violations. In addition, the Corrective Action Plan attached to the resolution agreement requires HONI to investigate any potential violations of its HIPAA policies and procedures by workforce members. If HONI finds that a violation has occurred, it must submit a report of the violation within 30 days the investigation. The report to HHS must include a detailed description of the facts, the relevant HIPAA policy or procedure violated, and any remediation measures or sanctions taken.
In announcing the settlement, OCR Director Leon Rodriguez noted that the action “sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”