Advertisement

April 18, 2014

What Can Healthcare Entities Learn from the First Settlement for a HIPAA Breach Involving Fewer than 500 Patients?

A breach of the Heath Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule in 2010 by the Hospice of North Idaho (HONI) resulted in a recent settlement payment of $50,000 to the U.S. Department of Health and Human Services (HHS). While settlements for large HIPAA violations are becoming increasingly common in recent years, this particular settlement is the first for a breach affecting fewer than 500 individuals.

The investigation by the HHS Office of Civil Rights (OCR) began after HONI reported the theft of an unencrypted laptop containing electronic patient health information (ePHI). While the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires breaches affecting 500 or more individuals to be reported to HHS within 60 days after discovery, those breaches affecting fewer than 500 individuals need only be reported to HHS on an annual basis. During the investigation, OCR determined that HONI had neither conducted a risk analysis to safeguard ePHI nor implemented procedures or policies to address mobile device security, as required under HIPAA.

In the HONI case and a recent case involving the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (MEEI) (which resulted in a $1.5 Million settlement payment to HHS), OCR focused not only on the breach itself, but also whether the breaching entity had sufficient written HIPAA policies and had conducted the risk assessment required under the HIPAA Security Rule.  Healthcare entities, particularly smaller entities that may have previously thought that their size provided protection from HHS investigations and penalties, may want to consider the HONI settlement, along with recent settlements for larger breaches such as MEEI, as a "wake-up call" to develop or evaluate their own HIPAA Privacy and Security policies and procedures. Entities subject to HIPAA that do not have such policies and procedures in place may be prudent to adopt and maintain those addressing its specific HIPAA needs and concerns to reduce the chance of a breach. Furthermore, even those entities that have HIPAA policies in place may want to consider re-evaluating their policies and procedures to ensure that they are both up-to-date and effective.

© 2014 BARNES & THORNBURG LLP

About the Author

Nita Garg, Health Care Attorney, Barnes Thornburg, Law firm
Staff Attorney

Nita Garg is an associate in Barnes & Thornburg LLP’s Chicago office and a member of the firm’s Healthcare Department. Ms. Garg assists clients with healthcare issues, including physician employment, physician-hospital contracting, Medicare and Medicaid reimbursement, and various state and federal regulatory matters, including fraud and abuse and HIPAA. 

312-214-4847

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is