On January 2, 2013, the U.S. Department of Health and Human Services (“HHS”) announced the first settlement involving potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule involving less than 500 patients. The $50,000 settlement resulted from a breach of unprotected electronic protected health information (“ePHI”) on a stolen laptop.
The HIPAA Security Rule specifies that covered entities adopt a series of administrative, technical, and physical security procedures to ensure the confidentiality of ePHI. The Health Information Technology for Economic and Clinical Health (“HITECH”) Act includes a mandate to improve the enforcement of the HIPAA Security Rule. To that end, the HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information or a breach of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals must be reported to the Secretary on an annual basis, within 60 days of the end of the calendar year in which the breaches occurred. Notifications of all breaches that occurred in calendar year 2012 must be submitted by March 1, 2013.
The HITECH Breach Notification Rule also requires covered entities to: (1) have in place written policies and procedures regarding breach notification; (2) train employees on breach notification policies and procedures; and (3) develop and apply appropriate sanctions against workforce members who do not comply with the breach notification policies and procedures.
After an extensive investigation by the HHS Office for Civil Rights (“OCR”), the Hospice of North Idaho (“HONI”) agreed to pay HHS $50,000 for a breach involving less than 500 patients. The breach occurred after a HONI unencrypted laptop computer containing the ePHI of 441 patients was stolen in June 2010. Laptops containing ePHI were regularly used by HONI as part of its field work. Although HONI properly reported the breach to HHS, the investigation revealed that HONI had not implemented certain safeguards as required by the HIPAA Security Rule, including policies and procedures to address mobile device security. Moreover, HONI had not conducted any risk analysis to safeguard ePHI as required by the HIPAA Security Rule.
The HONI settlement reveals the importance of having in place the required policies and procedures to ensure confidentiality of ePHI. Compliance with the notification requirement will not relieve an organization of liability if that organization has not implemented the required administrative, technical and physical policies and procedures.