Facility Hit with First Small Breach HIPAA Fine
The Hospice of North Idaho will pay the US Department of Health and Human Services (HHS) a $50,000 fine in the first settlement to take place over a breach of protected health information that affected fewer than 500 individuals.
The breach occurred in June 2010 and affected a total of 441 patients, whose information was contained on a stolen laptop computer. HHS was first notified of the breach in February 2011. Investigations by HHS’ Office for Civil Rights (OCR) revealed that the Hospice of North Idaho had not conducted a risk analysis to safeguard electronic protected health information, and the organization did not have HIPAA-required policies or procedures in place for mobile device security, according to a HHS press release. Both are required by HIPAA.
“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patents’ health information,” said OCR Director Leon Rodriguez in the release.
The Hospice of North Idaho has already taken steps to improve the facility’s compliance with the HIPAA Privacy and Security rule, according to the release.
The organization has registered a resolution agreement and corrective action plan with OCR in addition to the fine. While the agreement does not admit liability, HHS has not conceded that the organization was not in violation of the HIPAA Privacy and Security rule.