HHS Announces First HIPAA Breach Settlement Involving Less Than 500 Patients

January 18, 2013

On January 2, 2013, the U.S. Department of Health and Human Services (“HHS”) announced the first settlement involving potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule involving less than 500 patients.  The $50,000 settlement resulted from a breach of unprotected electronic protected health information (“ePHI”) on a stolen laptop.

The HIPAA Security Rule specifies that covered entities adopt a series of administrative, technical, and physical security procedures to ensure the confidentiality of ePHI.  The Health Information Technology for Economic and Clinical Health (“HITECH”) Act includes a mandate to improve the enforcement of the HIPAA Security Rule.  To that end, the HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information or a breach of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach.  Smaller breaches affecting less than 500 individuals must be reported to the Secretary on an annual basis, within 60 days of the end of the calendar year in which the breaches occurred.  Notifications of all breaches that occurred in calendar year 2012 must be submitted by March 1, 2013.

The HITECH Breach Notification Rule also requires covered entities to:  (1) have in place written policies and procedures regarding breach notification; (2) train employees on breach notification policies and procedures; and (3) develop and apply appropriate sanctions against workforce members who do not comply with the breach notification policies and procedures.

After an extensive investigation by the HHS Office for Civil Rights (“OCR”), the Hospice of North Idaho (“HONI”) agreed to pay HHS $50,000 for a breach involving less than 500 patients.  The breach occurred after a HONI unencrypted laptop computer containing the ePHI of 441 patients was stolen in June 2010.  Laptops containing ePHI were regularly used by HONI as part of its field work.  Although HONI properly reported the breach to HHS, the investigation revealed that HONI had not implemented certain safeguards as required by the HIPAA Security Rule, including policies and procedures to address mobile device security.  Moreover, HONI had not conducted any risk analysis to safeguard ePHI as required by the HIPAA Security Rule.

The HONI settlement reveals the importance of having in place the required policies and procedures to ensure confidentiality of ePHI.  Compliance with the notification requirement will not relieve an organization of liability if that organization has not implemented the required administrative, technical and physical policies and procedures.

News & Events

Related News

Marc Raspanti and Pamela Coyle Brecht’s WOLEP Presentation Released
November 28, 2023
Marc Raspanti and Pamela Coyle Brecht‘s presentation “A Practitioner’s Guide to American Whistleblower Programs” is now available through World Online Lawyers With Excellent Practice (WOLEP). Read More
Lourdes Sánchez Ridge appointed Chair of the Allegheny County Bar Association Professional Ethics Committee
November 27, 2023
Pietragallo is pleased to announce that Lourdes Sánchez Ridge has been appointed Chair of the Allegheny County Bar Association’s Professional Ethics Committee. Read More

Upcoming Events

Scott Coffina to speak at Police Assisted Addiction and Recovery Initiative 2023 National Law Enforcement Summit
December 4, 2023
Pietragallo partner Scott Coffina will present “How to Run an Effective and Ethical Diversion Program” at the Police Assisted Addiction and Recovery Initiative (PAARI) 2023 National Law Enforcement Summit held in Boston, MA on December 4-5, 2023. Read More
Michael Morse to present at the American Bar Association’s 21st Annual Washington Health Law Summit
December 11, 2023
Pietragallo partner Michael Morse will be presenting at the American Bar Association’s 21st Annual Washington Health Law Summit, on December 11-12, 2023 in Washington D.C.. Read More
View More News & Events