HHS Focuses on Data Breach Cases Involving Fewer than 500 Patients
Jan. 3 —
The U.S. Department of Health and Human Services (HHS) announced its first settlement involving a breach in security of electronic protected health information (ePHI) that affected fewer than 500 patients.
The Hospice of North Idaho (HONI) has agreed to pay HHS $50,000 to settle potential violations of the HIPAA Security Rule after HONI reported that an unencrypted laptop containing ePHI for 441 patients was stolen in June 2010. HONI employees routinely use laptops during field work.
The HHS Office for Civil Rights determined that HONI did not have policies or procedures in place to protect mobile device security, as required by the HIPAA Security Rule, and had not performed a risk analysis to determine ways to safeguard ePHI. HONI has since undertaken extensive measures to safeguard ePHI, HHS said in a release. HONI paid $50,000 to HHS to settle the case.
The HITECH Breach Notification Rule requires covered entities to report data breaches involving 500 or more patients to HHS and to the media within 60 days of discovering the breach. Smaller breaches affecting less than 500 individuals must be reported HHS annually.
Publication Date: Thursday, January 03, 2013