The Department of Health and Human Services has entered its first settlement agreement for a HIPAA breach involving fewer than 500 individuals. Hospice of North Idaho must pay the government $50,000 to settle HIPAA violations resulting from a stolen laptop. The laptop, which was not encrypted, contained protected health information (PHI) for 441 patients.
The Hospice did not have policies or procedures in place to address mobile device security as required by the HIPAA Security Rule. If the Hospice had a policy of encrypting the laptop (and if the policy were followed), the electronic PHI stored on the laptop would have been unusable, unreadable and undecipherable and thus potentially not subject to HIPAA's breach notification requirements.
The Health Information Technology for Economic and Clinical Health Breach Notification Rule requires covered entities to report an unauthorized use or disclosure of protected health information, or a breach of PHI of 500 or more individuals to HHS and the media. Smaller breaches affecting fewer than 500 individuals must be reported to HHS an annual basis. Such reporting applies to a breach of "unsecured" PHI. PHI that is encrypted is considered secure and not subject to the breach reporting.
The settlement agreement in this situation arose out of an annual HHS reporting. It shows that breaches of information of even a few individuals are taken seriously by HHS.