What Can Healthcare Entities Learn from the First Settlement for a HIPAA Breach Involving Fewer than 500 Patients?
A breach of the Heath Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule in 2010 by the Hospice of North Idaho (HONI) resulted in a recent settlement payment of $50,000 to the U.S. Department of Health and Human Services (HHS). While settlements for large HIPAA violations are becoming increasingly common in recent years, this particular settlement is the first for a breach affecting fewer than 500 individuals.
The investigation by the HHS Office of Civil Rights (OCR) began after HONI reported the theft of an unencrypted laptop containing electronic patient health information (ePHI). While the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires breaches affecting 500 or more individuals to be reported to HHS within 60 days after discovery, those breaches affecting fewer than 500 individuals need only be reported to HHS on an annual basis. During the investigation, OCR determined that HONI had neither conducted a risk analysis to safeguard ePHI nor implemented procedures or policies to address mobile device security, as required under HIPAA.
In the HONI case and a recent case involving the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (MEEI) (which resulted in a $1.5 Million settlement payment to HHS), OCR focused not only on the breach itself, but also whether the breaching entity had sufficient written HIPAA policies and had conducted the risk assessment required under the HIPAA Security Rule. Healthcare entities, particularly smaller entities that may have previously thought that their size provided protection from HHS investigations and penalties, may want to consider the HONI settlement, along with recent settlements for larger breaches such as MEEI, as a "wake-up call" to develop or evaluate their own HIPAA Privacy and Security policies and procedures. Entities subject to HIPAA that do not have such policies and procedures in place may be prudent to adopt and maintain those addressing its specific HIPAA needs and concerns to reduce the chance of a breach. Furthermore, even those entities that have HIPAA policies in place may want to consider re-evaluating their policies and procedures to ensure that they are both up-to-date and effective.