OCR’s recent enforcement action against a small non-profit hospice organization in Idaho is more evidence that OCR is looking carefully at HIPAA Security Rule compliance. On December 28, 2012, HHS announced that Hospice of Northern Idaho (“HONI”) had agreed to pay HHS $50,000 to settle potential violations of the HIPAA Security Rule. This is the first settlement involving a breach of PHI affecting fewer than 500 individuals, and it sends a strong message to all covered entities that OCR will impose a penalty for HIPAA non-compliance regardless of the size of the breach.
This enforcement action arose out of the theft of an unencrypted laptop containing the protected health information of 441 individuals, including patient names, addresses, dates of birth, Social Security numbers, diagnoses, medications, lab results and other treatment information. The laptop was stolen from a HONI employee’s car while it was parked at her home in June 2010.
Because the breach involved fewer than 500 individuals, OCR began its investigation after the hospice reported the breach to HHS at the end of 2010 as required by HITECH.
OCR sanctioned HONI after it discovered the hospice (1) had not conducted a security risk analysis as required by the HIPAA Security Rule; (2) did not have in place any policies or procedures to address mobile device security; and (3) did not implement security measures to address the risk of losing patient health information or maintain a process for managing that risk.
This enforcement action should serve as a warning to all covered entities, big and small, that Security Rule compliance must be a priority. At the very least, all covered entities should consider implementing the following Security Rule measures following the HONI settlement:
- Conduct (or update) an annual security risk analysis, including an evaluation of the potential risks to PHI maintained in and transmitted using portable electronic devices;
- Adopt security measures to ensure confidentiality of PHI created, maintained and transmitted using portable electronic devices;
- Properly encrypt PHI on laptops and other portable devices;
- Continually train employees on encryption and mobile device policies.