On Wednesday, HHS announced that Hospice of North Idaho has agreed to pay $50,000 to settle potential HIPAA violations after an unencrypted laptop containing electronic health information on 441 patients was stolen in 2010, Becker's Hospital Review reports.
First HHS Settlement Stemming From Small Data Breach
The agreement marks HHS' first settlement resulting from a data breach affecting fewer than 500 people.
Health data breaches that affect 500 or more individuals must be reported to HHS and the media within 60 days of discovering the incident. Breaches affecting fewer than 500 individuals must be reported to HHS annually.
Leon Rodriguez, director of HHS' Office for Civil Rights, said, "This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information" (McLaughlin, Becker's Hospital Review, 1/2).
In its announcement, OCR said that Hospice of North Idaho "did not have in place policies or procedures to address mobile device security as required by the HIPAA security rule." The organization also had not conducted a risk analysis to protect electronic health information, OCR said (Conn, Modern Healthcare, 1/2).
Hospice of North Idaho has made significant improvement in its security procedures since the theft, according to HHS (Becker's Hospital Review, 1/2).