On January 2, 2013, the U.S. Department of Health and Human Services (HHS) announced a settlement with the Hospice of North Idaho (HONI) for potential HIPAA violations. For the first time, HHS has reached a settlement for a breach affecting the unprotected electronic protected health information (ePHI) of fewer than 500 patients.
In February 2011, HONI reported the June 2010 theft of an unencrypted laptop computer containing the ePHI of 441 patients. Based on the HHS Office for Civil Rights (OCR) investigation that followed, HHS concluded that HONI had not conducted an accurate and thorough risk analysis to safeguard ePHI on an ongoing basis as part of its security management process. Specifically, HONI did not (a) evaluate the impact and probability of the potential confidentiality risks posed to the ePHI maintained in and transmitted using portable devices; (b) implement appropriate security measures to address the potential risks; and (c) document the security measures and the rationale for their adoption; and did not maintain reasonable and appropriate security measures. HHS concluded that HONI did not reasonably implement security measures sufficient to ensure the confidentiality of ePHI created, maintained, and transmitted using portable devices. In particular, HONI failed to implement encryption on its devices.
HHS further observed that HONI did not have policies and procedures in place addressing mobile device security, as required by the HIPAA Security Rule.
In addition to paying $50,000, HONI will be required by the settlement to promptly investigate information that a workforce member may have failed to comply with its privacy and security policies and, if HONI determines that the member did fail to comply with the policies, it must notify HHS in writing within 30 days.
Although $50,000 is a relatively small settlement, it is substantial relative to the size of HONI, which had only $8.3 million in assets at the end of 2010. In a press release announcing the settlement, OCR Director Leon Rodriguez stated, “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” He emphasized, “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”
Encryption of information on portable devices is becoming more essential as their use by the health care industry expands. Breaches involving laptops or other portable electronic devices have accounted for nearly 40 percent of all breaches of unsecured PHI affecting 500 or more individuals since 2009. OCR, in recognition of the increased role mobile devices play in the health care industry, has launched a new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information, to offer practical tips on protecting patient information when using mobile devices. For more information on this initiative, visit HealthIT.gov/mobiledevices.