Hospice Gets $50,000 HIPAA PenaltyFirst Settlement After a Breach Affecting Fewer Than 500
For the first time, a federal investigation of a health information breach that affected fewer than 500 individuals has resulted in a penalty for HIPAA violations. The case illustrates that no matter what the size of a breach, the Department of Health and Human Services' Office for Civil Rights may impose penalties if its investigation reveals HIPAA non-compliance issues.
See Also: The Power and Scale of XDR
The $50,000 settlement in the case, which involved the theft of an unencrypted laptop computer from the non-profit Hospice of North Idaho, demonstrates OCR is ramping up HIPAA enforcement, says Leon Rodriguez, director of the office.
"This action sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information," Rodriguez says in a statement.
The OCR corrective action plan for the hospice spells out that the organization must, if it receives information that a staff member failed to comply with its security and privacy policies and procedures, promptly investigate the matter and notify HHS within 30 days, offering a description of actions taken to mitigate harm.
The community hospice, located in Hayden, Idaho, issued a settlement statement on Dec. 27 announcing it had recently agreed to pay the penalty following OCR's investigation into a 2010 theft of a hospice laptop computer.
The OCR acknowledges in its Jan. 2 statement that the stolen laptop contained protected health information on 441 individuals. That included patient names, addresses, dates of birth, Social Security numbers, diagnoses, medications, lab results and other treatment information. OCR began its investigation after the hospice reported at the end of 2010 to HHS that an unencrypted laptop computer had been stolen in June 2010.
The stolen laptop was assigned to a hospice nurse and part of an inventory of laptops used by nurses, social workers, and others for field work, the OCR spokeswoman said. The laptop was stolen from the employee's car while parked at her home the weekend of June 18, 2010.
"Because the breach involved fewer than 500 individuals, the hospice reported the incident to OCR at the end of the 2010 calendar year as part of its breach notification responsibilities," an OCR spokeswoman told HealthcareInfoSecurity.
Lack of Risk Analysis
The OCR investigation determined that the hospice had not conducted a risk analysis to safeguard electronic protected health information, according to OCR's statement. Further, the hospice did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule, the statement notes.
Since the June 2010 theft, however, the hospice has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program, OCR acknowledges. In its statement, the hospice said it had, for example, encrypted all laptops, strengthened password enforcement and provided ongoing HIPAA privacy and security training.
While the breach at the Hospice of North Idaho was listed on Dec. 31 as a new example on the enforcement activities and results section of the HHS website, the incident is not listed among the 525 breaches on OCR's wall of shame. That's because that list only includes breaches affecting 500 or more individuals that have been reported to HHS since the HIPAA breach notification rule went into effect in September 2009.
Shortly after the incident occurred, Hospice of North Idaho began an internal investigation and mitigation, according to the hospice's statement.
The hospice says there is no evidence that any information was accessed. However, the organization took precautionary steps "in the event the information was used maliciously." Those steps included contacting patients and families of patients who could have been affected by the theft. The hospice offered those affected free credit monitoring, and families of deceased patients were offered family support through the assignment of a personal recovery advocate.
"Upon report of the theft, Hospice of North Idaho immediately began a risk assessment and development of a corrective action plan," the statement notes. "Also during this time, Hospice of North Idaho hired industry experts in the areas of information technology and human resources, replacing the outsourced services employed during the time of the laptop theft."
The hospice did not respond to HealthcareInfoSecurity's inquiries for additional information regarding the breach incident and settlement.
Other 2012 Settlements
Five 2012 HIPAA breach settlements are listed on the HHS website. In addition to the Hospice of North Idaho incident, those include:
- A $1.7 million settlement with the Alaska Department of Health and Human Services related to a stolen USB storage drive containing data on possibly 500 or more Medicaid beneficiaries, which led to OCR finding a variety of other HIPAA non-compliance isues at the agency, including insufficient risk management.
- A $1.5 million settlement with Massachusetts Eye and Ear Infirmary after the theft of an unencrypted laptop containing data on about 3,500 patients. HIPAA non-compliance issues included failure to conduct a thorough risk analysis for protecting information stored on mobile devices.
- A $1.5 settlement with Blue Cross Blue Shield of Tennessee related to the theft of 57 unencrypted disk drives containing data on about 1 million patients. The corrective action plan as part of the settlement instructed Blue Cross Blue Shield of Tennessee, among other things, to conduct thorough assessment or risks involved when data is created, received, maintained, used or transmitted on-site or off-site.
- A $100,000 settlement with Phoenix Cardiac Surgery in April. That case involved the posting of clinical and surgical appointments for an unspecified number of its patients on an Internet-based calendar that was publicly accessible. Other non-compliance issues discovered by OCR during its investigation include insufficient staff training.
Size of Financial Penalty
Hospice of North Idaho says its response to the incident helped lower its non-compliance fine. "Because of the proactive approach taken and Hospice of North Idaho's current security plan, the OCR's settlement amount is significantly less than the standard penalties imposed," its statement notes.
But while the financial settlement with the hospice is substantially less hefty than most others, its sting is just as painful, says Rebecca Herold, CEO of The Privacy Professor and partner at Compliance Helper, both IT security consulting firms. "Fifty thousand dollars is a huge amount for a small non-profit," she says.
"They are now going to need to do much more fund-raising to recoup that amount than they had probably anticipated," she says. "Just think how much less costly it would have been for them to have invested a comparatively small amount in implementing encryption and implementing comprehensive and customized information security and privacy policies."
The settlement with the hospice also signals that more OCR HIPAA enforcement actions involving health entities of all sizes are likely in the months to come.
OCR in its various breach investigations and the 115 random HIPAA audits performed in 2012 found "plenty of noncompliance out there and plenty of room for improvement," OCR director Rodriguez said in a recent interview with HealthcareInfoSecurity.
"I expect that we're going to continue to see monetary settlements for a long time to come," he said. "The other thing is I know what we have, in inventory, cases that we're already doing that are sort of moving through the investigative and findings process, and that will result in settlements."
Herold says OCR's settlement in the hospice case shows the agency is serious about HIPAA enforcement.
"If the hospice had not been as proactive in their remediation actions following the breach, the sanction settlement would likely have been higher," she says. "This clearly signifies that all covered entities - and in the very near future their business associates - need to be diligent in meeting all their compliance requirements, and that they should have a comprehensive, fully documented, compliance program in place," she says.
"Too many covered entities still think that simply doing one risk assessment, and nothing more, is going to be sufficient for HIPAA compliance," she adds. "Those who still believe this are making a very high-stakes gamble with their business."