Categories
Information Security>Data Breach|Compliance>HIPPA

HHS Enforces Penalties for Losing Less Than 500 Patient Records

The Hospice of Northern Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services (HHS) $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  Source: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.html

HONI reported that an unencrypted laptop was stolen in 2010 and that it contained 441 patient records.  HHS began an investigation and discovered that HONI had not performed a risk analysis to safeguard their PHI nor did it have any policies or procedures in place regarding mobile device security which is required by HIPAA.

The HITECH breach notification rule requires covered entities to report loss of 500 or more records to HHS and the media within 60 days, but also requires that smaller breaches be reported on an annual basis.

According to the agreement between HHS and HONI the official reasons for the fine were:

  • HONI did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI on an on-going basis as part of its security management process.
  • HONI did not adequately adopt or implement security measures sufficient to ensure the confidentiality of ePHI that it created, maintained, and transmitted using portable devices to a reasonable and appropriate level.

In a recent blog post we discussed how many health care organizations are still focused on protecting their organization from themselves, and they are not prepared to face the threat of malicious attacks from the outside.  This is another example of where basic and simple information security practices (encrypting a laptop) would have prevented significant fines and court costs.  Has your organization reviewed your standard security practices?  Would you be protected if someone lost a laptop?  What if someone actively targeted your records?