A small nonprofit hospice in Idaho became the first healthcare
provider to settle a potential violation of the HIPAA Security Rule
affecting fewer than 500 individuals. On January 2, 2013, Hospice
of North Idaho agreed to a settlement in the amount of $50,000 with
the Department of Health and Human Services, Office of Civil Rights
(OCR) following an investigation relating to a 2010 breach
involving a stolen, unencrypted laptop containing patient
The settlement was notable in that it related not to the breach
itself, but to the fact that the hospice had not adopted
appropriate security policies or procedures to address mobile
device security and had not conducted a security risk analysis to
safeguard protected health information (PHI). The HIPAA Security
Rule requires covered entities to perform risk analyses to identify
potential vulnerabilities and to adopt plans to address these
vulnerabilities and reduce the risk of their exploitation. While
OCR typically acknowledges that breaches related to thefts or other
criminal activity are not the fault of the covered entity
maintaining the information, OCR has still penalized these entities
for failing to adopt appropriate measures to identify and mitigate,
before the fact, the risks of these criminal acts.
This was the case with Hospice of North Idaho, where there was
no evidence that the information contained on the laptop was
inappropriately accessed or used for any malicious purpose.
Further, according to the hospice, it appropriately investigated
the incident and adopted mitigation measures to lessen its impact.
The hospice performed a thorough risk assessment, increased
security measures on equipment containing PHI, and adopted stronger
security policies and procedures following the incident. It sent
appropriate breach notification letters to patients, and offered
families of deceased patients family support through the assignment
of a personal recovery advocate. In other words, it took every
measure it could to lessen the harmful effects of the breach. The
hospice was still penalized, however, due to the fact that it had
not performed a security assessment or adopted appropriate security
policies prior to the time at which the breach occurred. In the
words of OCR Director Leon Rodriguez, "This action sends a
strong message to the health care industry that, regardless of
size, covered entities must take action and will be held
accountable for safeguarding their patients' health
Rodriguez also noted that "Encryption is an easy method for
making lost information unusable, unreadable and
undecipherable." This statement implies that OCR may be moving
closer to viewing encryption for laptops as an industry standard.
Although many entities have experienced difficulties in adopting
encryption as their standard for communications, the fact that OCR
may view encryption as an "easy method" for protection
indicates that covered entities may, by necessity, need to adopt
this level of protection in the future.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
The American Bar Association Health Law Section’s July 2014 eSource publication includes an article by Dianne Bourque, Kimberly Gold, and me that provides examples of how risk assessments under the Breach Notification Rule have changed since the HIPAA Omnibus Rule went into effect in September 2013.