HHS announced The Hospice of North Idaho has agreed to a $50,000 settlement for potential HIPPA violations that may have compromised 441 patients' electronic protected health information after a 2010 security breach. It's the first settlement HHS has received for a breach involving less than 500 patients.
The hospice reported to the HHS Office for Civil Rights that an unencrypted laptop containing ePHI was stolen in June 2010. On investigating the breach, OCR learned the hospice did not have adequate policies in place to protect patient information in compliance with HIPPA rules on ePHI. HHS said in a news release that the hospice has made significant improvements since the theft.
"This action sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information," said OCR Director Leon Rodriguez in a news release. "Encryption is an easy method for making lost information unusable, unreadable and undecipherable."
Data security breaches involving 500 individuals or more must be reported to HHS and the media within 60 days of discovering the breach. Breaches that compromise fewer than 500 individuals' data must be reported annually to HHS.
9 Key Legal Developments Facing Hospitals
University of Michigan Health Data Breach Affects 4k Patients
The hospice reported to the HHS Office for Civil Rights that an unencrypted laptop containing ePHI was stolen in June 2010. On investigating the breach, OCR learned the hospice did not have adequate policies in place to protect patient information in compliance with HIPPA rules on ePHI. HHS said in a news release that the hospice has made significant improvements since the theft.
"This action sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information," said OCR Director Leon Rodriguez in a news release. "Encryption is an easy method for making lost information unusable, unreadable and undecipherable."
Data security breaches involving 500 individuals or more must be reported to HHS and the media within 60 days of discovering the breach. Breaches that compromise fewer than 500 individuals' data must be reported annually to HHS.
More Articles on HIPPA Security Breaches:
5 Best Practices for Improving Data Security9 Key Legal Developments Facing Hospitals
University of Michigan Health Data Breach Affects 4k Patients