• Related Professionals -

Health Law Alert: HHS Announces First HIPAA Breach Settlement Involving Less Than 500 Patients

January 09, 2013

On January 2, 2013, the United States Department of Health and Human Services announced that the Hospice of North Idaho (HONI) has agreed to pay $50,000 to the federal government to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. Significantly, this is the first settlement involving a breach of unprotected electronic protected health information (PHI) affecting fewer than 500 individuals.

The HHS Office for Civil Rights (OCR) conducted its investigation following a breach report submitted by HONI as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act reporting the theft of a laptop computer containing the PHI of 441 patients. During the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard the PHI in its possession, and that HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. 
Covered entities under HIPAA, such as hospitals and other health care providers and suppliers, should take this opportunity to review their existing HIPAA privacy and security policies and procedures to ensure compliance with federal law. Covered entities should also ensure that they have performed the appropriate risk analysis under HIPAA to safeguard all PHI in their possession. 
The HHS press release can be found on the HHS News page: 
The Resolution Agreement can be found on the OCR website at: