A small nonprofit hospice in Idaho became the first healthcare provider to settle a potential violation of the HIPAA Security Rule affecting fewer than 500 individuals. On January 2, 2013, Hospice of North Idaho agreed to a settlement in the amount of $50,000 with the Department of Health and Human Services, Office of Civil Rights (OCR) following an investigation relating to a 2010 breach involving a stolen, unencrypted laptop containing patient information.
The settlement was notable in that it related not to the breach itself, but to the fact that the hospice had not adopted appropriate security policies or procedures to address mobile device security and had not conducted a security risk analysis to safeguard protected health information (PHI). The HIPAA Security Rule requires covered entities to perform risk analyses to identify potential vulnerabilities and to adopt plans to address these vulnerabilities and reduce the risk of their exploitation. While OCR typically acknowledges that breaches related to thefts or other criminal activity are not the fault of the covered entity maintaining the information, OCR has still penalized these entities for failing to adopt appropriate measures to identify and mitigate, before the fact, the risks of these criminal acts.
This was the case with Hospice of North Idaho, where there was no evidence that the information contained on the laptop was inappropriately accessed or used for any malicious purpose. Further, according to the hospice, it appropriately investigated the incident and adopted mitigation measures to lessen its impact. The hospice performed a thorough risk assessment, increased security measures on equipment containing PHI, and adopted stronger security policies and procedures following the incident. It sent appropriate breach notification letters to patients, and offered families of deceased patients family support through the assignment of a personal recovery advocate. In other words, it took every measure it could to lessen the harmful effects of the breach. The hospice was still penalized, however, due to the fact that it had not performed a security assessment or adopted appropriate security policies prior to the time at which the breach occurred. In the words of OCR Director Leon Rodriguez, “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”
Rodriguez also noted that “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.” This statement implies that OCR may be moving closer to viewing encryption for laptops as an industry standard. Although many entities have experienced difficulties in adopting encryption as their standard for communications, the fact that OCR may view encryption as an “easy method” for protection indicates that covered entities may, by necessity, need to adopt this level of protection in the future.
For additional information, please contact Stephen Page or any member of the Waller Healthcare Department at 800.487.6380.
The opinions expressed in this bulletin are intended for general guidance only. They are not intended as recommendations for specific situations. As always, readers should consult a qualified attorney for specific legal guidance.