July 25, 2014

What Can Healthcare Entities Learn from the First Settlement for a HIPAA Breach Involving Fewer than 500 Patients?

A breach of the Heath Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule in 2010 by the Hospice of North Idaho (HONI) resulted in a recent settlement payment of $50,000 to the U.S. Department of Health and Human Services (HHS). While settlements for large HIPAA violations are becoming increasingly common in recent years, this particular settlement is the first for a breach affecting fewer than 500 individuals.

The investigation by the HHS Office of Civil Rights (OCR) began after HONI reported the theft of an unencrypted laptop containing electronic patient health information (ePHI). While the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires breaches affecting 500 or more individuals to be reported to HHS within 60 days after discovery, those breaches affecting fewer than 500 individuals need only be reported to HHS on an annual basis. During the investigation, OCR determined that HONI had neither conducted a risk analysis to safeguard ePHI nor implemented procedures or policies to address mobile device security, as required under HIPAA.

In the HONI case and a recent case involving the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (MEEI) (which resulted in a $1.5 Million settlement payment to HHS), OCR focused not only on the breach itself, but also whether the breaching entity had sufficient written HIPAA policies and had conducted the risk assessment required under the HIPAA Security Rule.  Healthcare entities, particularly smaller entities that may have previously thought that their size provided protection from HHS investigations and penalties, may want to consider the HONI settlement, along with recent settlements for larger breaches such as MEEI, as a "wake-up call" to develop or evaluate their own HIPAA Privacy and Security policies and procedures. Entities subject to HIPAA that do not have such policies and procedures in place may be prudent to adopt and maintain those addressing its specific HIPAA needs and concerns to reduce the chance of a breach. Furthermore, even those entities that have HIPAA policies in place may want to consider re-evaluating their policies and procedures to ensure that they are both up-to-date and effective.


About the Author

Nita Garg, Health Care Attorney, Barnes Thornburg, Law firm
Staff Attorney

Nita Garg is an associate in Barnes & Thornburg LLP’s Chicago office and a member of the firm’s Healthcare Department. Ms. Garg assists clients with healthcare issues, including physician employment, physician-hospital contracting, Medicare and Medicaid reimbursement, and various state and federal regulatory matters, including fraud and abuse and HIPAA. 


Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.