HHS Announces First HIPAA Breach Settlement Involving Less Than 500 Patients

January 18, 2013

On January 2, 2013, the U.S. Department of Health and Human Services (“HHS”) announced the first settlement involving potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule involving less than 500 patients.  The $50,000 settlement resulted from a breach of unprotected electronic protected health information (“ePHI”) on a stolen laptop.

The HIPAA Security Rule specifies that covered entities adopt a series of administrative, technical, and physical security procedures to ensure the confidentiality of ePHI.  The Health Information Technology for Economic and Clinical Health (“HITECH”) Act includes a mandate to improve the enforcement of the HIPAA Security Rule.  To that end, the HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information or a breach of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach.  Smaller breaches affecting less than 500 individuals must be reported to the Secretary on an annual basis, within 60 days of the end of the calendar year in which the breaches occurred.  Notifications of all breaches that occurred in calendar year 2012 must be submitted by March 1, 2013.

The HITECH Breach Notification Rule also requires covered entities to:  (1) have in place written policies and procedures regarding breach notification; (2) train employees on breach notification policies and procedures; and (3) develop and apply appropriate sanctions against workforce members who do not comply with the breach notification policies and procedures.

After an extensive investigation by the HHS Office for Civil Rights (“OCR”), the Hospice of North Idaho (“HONI”) agreed to pay HHS $50,000 for a breach involving less than 500 patients.  The breach occurred after a HONI unencrypted laptop computer containing the ePHI of 441 patients was stolen in June 2010.  Laptops containing ePHI were regularly used by HONI as part of its field work.  Although HONI properly reported the breach to HHS, the investigation revealed that HONI had not implemented certain safeguards as required by the HIPAA Security Rule, including policies and procedures to address mobile device security.  Moreover, HONI had not conducted any risk analysis to safeguard ePHI as required by the HIPAA Security Rule.

The HONI settlement reveals the importance of having in place the required policies and procedures to ensure confidentiality of ePHI.  Compliance with the notification requirement will not relieve an organization of liability if that organization has not implemented the required administrative, technical and physical policies and procedures.

News & Events

Related News

Pietragallo Expands Litigation Practice with New Hires
April 12, 2021
In a significant expansion of the firm’s litigation practice, Pietragallo Gordon Alfano Bosick & Raspanti, LLP is pleased to announce the addition of four new associates to the firm’s Pittsburgh and Philadelphia Offices. Read More
From our COVID-19 Response Team: Pennsylvania Business Guidance For Probable or Confirmed Case of COVID-19
August 26, 2020
As COVID-19 continues to spread globally and throughout Pennsylvania, most employers will be faced with the question of how to respond when an employee tests positive, or has exposure to the coronavirus, and will need to determine when those employees can safely return to work.  Read More

Upcoming Events

COVID-19 Back-To-Work Guidance [WEBINAR]
May 6, 2021

What to Know about Returning to an In-Person Environment

Please join us as we provide guidance to employers ensuring their employees, and customers, feel safe in returning to an in-person environment. Read More
View More News & Events