What Can Healthcare Entities Learn from the First Settlement for a HIPAA Breach Involving Fewer than 500 Patients?
Monday, January 7, 2013
Print Mail Download i

A breach of the Heath Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule in 2010 by the Hospice of North Idaho (HONI) resulted in a recent settlement payment of $50,000 to the U.S. Department of Health and Human Services (HHS). While settlements for large HIPAA violations are becoming increasingly common in recent years, this particular settlement is the first for a breach affecting fewer than 500 individuals.

The investigation by the HHS Office of Civil Rights (OCR) began after HONI reported the theft of an unencrypted laptop containing electronic patient health information (ePHI). While the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires breaches affecting 500 or more individuals to be reported to HHS within 60 days after discovery, those breaches affecting fewer than 500 individuals need only be reported to HHS on an annual basis. During the investigation, OCR determined that HONI had neither conducted a risk analysis to safeguard ePHI nor implemented procedures or policies to address mobile device security, as required under HIPAA.

In the HONI case and a recent case involving the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (MEEI) (which resulted in a $1.5 Million settlement payment to HHS), OCR focused not only on the breach itself, but also whether the breaching entity had sufficient written HIPAA policies and had conducted the risk assessment required under the HIPAA Security Rule.  Healthcare entities, particularly smaller entities that may have previously thought that their size provided protection from HHS investigations and penalties, may want to consider the HONI settlement, along with recent settlements for larger breaches such as MEEI, as a "wake-up call" to develop or evaluate their own HIPAA Privacy and Security policies and procedures. Entities subject to HIPAA that do not have such policies and procedures in place may be prudent to adopt and maintain those addressing its specific HIPAA needs and concerns to reduce the chance of a breach. Furthermore, even those entities that have HIPAA policies in place may want to consider re-evaluating their policies and procedures to ensure that they are both up-to-date and effective.

© 2024 BARNES & THORNBURG LLP

Current Legal Analysis

More from Barnes & Thornburg LLP

FTC Passes Final Rule Banning Worker Non-Compete Agreements
by: Kendall Millard , Christopher Rubey
The Sun Comes Out on Earth Day: EPA Announces Recipients of $7 Billion Solar For All Grants
by: Bruce White
DOL Salary Rule Alert: White Collar Exemption Final Rule Released
by: Kathleen M. Anderson , Mark Wallin
FTC Approves Non-Compete Ban
by: Christopher Rubey
Will New EPA Strategic Civil-Criminal Enforcement Policy Promote Fairness In Case Selection?
by: Richard E. Glaze Jr. , Bruce White
Union Election Petitions and Labor Charges Continue Their Meteoric Rise
by: David J. Pryzbylski
HHS-OIG Highlights Anti-Fraud Safeguards for Patient Assistance Programs Backed Mainly By Drug Manufacturers
by: Jason D. Schultz , Thomas K. Petersen
Crossing The Border: Federal Circuit Confirms Patent Owner’s Ability To Recover A Reasonable Royalty Based On Foreign Activity
by: Heather B. Repicky
Did the Supreme Court Just Invite Greenhushing? Not So Fast …
by: Bruce White
U.S. Supreme Court Clarifies, and Broadens, Definition of "Transportation Worker" Under the Federal Arbitration Act
by: Michael Witczak

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins