January 7, 2013

HIPAA Enforcement for Breach Involving Less than 500 Patients

The U.S. Department of Health and Human Services (HHS) initiated a compliance investigation after the Hospice of North Idaho (HONI) reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen.

Pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH), if a breach of unsecured PHI involves less than 500 impacted individuals, a log of the unauthorized disclosure must be maintained and submitted to HHS on an annual basis.

As a result of the investigation, the HHS Office for Civil Rights (OCR) discovered that HONI had not conducted a risk analysis to safeguard ePHI, and did not have written policies or procedures to address mobile device security as required by the HIPAA Security Rule. The HONI agreed to pay the HHS $50,000 to settle the potential violations.

The settlement confirms that the OCR may conduct a compliance investigation in response to these required “self” disclosures.

This post is contributed by Charles Dunham.