HHS announces first HIPAA breach settlement involving less than 500 patients

|

1269437_laptop_and_cellphone[1].jpgA single unencrypted laptop computer containing electronic protected health information (ePHI) cost The Hospice of North Idaho (HONI) $50,000. HONI agreed to pay the U.S. Department of Health and Human Services (HHS) a $50,000 fine to settle potential breaches of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

HONI regularly used laptops in field work. However, according to HHS, HONI did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI posed by mobile devices on an on-going basis as part of its security management process in violation of HIPAA. HONI also failed to implement security measures sufficient to ensure the confidentiality of ePHI that it created, maintained and transmitted using portable devices, another alleged HIPAA breach. In addition to the fine, HHS required HONI to enter into a corrective action plan.

The HONI settlement is notable as the first settlement of an alleged HIPAA violation based on breach of ePHI affecting fewer than 500 individuals. The government discovered in its investigation that HONI simply failed to conduct any risk assessment to safeguard ePHI and failed to have policies and procedures to address mobile devices. Leon Rodriquez, the Director of the HHS Office for Civil Rights, explained: “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”

It is critical for medical practices and other health care businesses that mobile devices, such as smart phones, laptops and tablets, be included in their HIPAA risk assessment and compliance process. Being small is no insulation for a health care provider from the risks associated with HIPAA violations, a reality underscored by this HHS announcement. All providers should obtain a risk assessment and regularly review and document their HIPAA policies and procedures.

Kevin Little is an Augusta and Atlanta business lawyer whose practice is focused on health care issues. He is “AV” rating by Martindale Hubbell (its highest rating). Our firm has offices in Atlanta and Augusta, Georgia. You can contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 to arrange a consultation.

Source: HHS News Release

*Disclaimer: Thoughts shared here do not constitute legal advice.

Posted in: HIPAA
Updated:

Comments are closed.

Contact Information
Atlanta
75 14th St NW
Suite 2840-B
Atlanta, GA 30309
Phone: 404-685-1662Fax: 404-795-5855
Augusta
1450 Greene Street
Suite 3600
Augusta, GA 30901
Phone: 706-722-7886Fax: 404-795-5855

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please do not include any confidential or sensitive information in a contact form, text message, or voicemail. The contact form sends information by non-encrypted email, which is not secure. Submitting a contact form, sending a text message, making a phone call, or leaving a voicemail does not create an attorney-client relationship.

Copyright © 2015 – 2024, Hamil Little
JUSTIA Law Firm Blog Design