A small nonprofit hospice in Idaho became the first healthcare
provider to settle a potential violation of the HIPAA Security Rule
affecting fewer than 500 individuals. On January 2, 2013, Hospice
of North Idaho agreed to a settlement in the amount of $50,000 with
the Department of Health and Human Services, Office of Civil Rights
(OCR) following an investigation relating to a 2010 breach
involving a stolen, unencrypted laptop containing patient
The settlement was notable in that it related not to the breach
itself, but to the fact that the hospice had not adopted
appropriate security policies or procedures to address mobile
device security and had not conducted a security risk analysis to
safeguard protected health information (PHI). The HIPAA Security
Rule requires covered entities to perform risk analyses to identify
potential vulnerabilities and to adopt plans to address these
vulnerabilities and reduce the risk of their exploitation. While
OCR typically acknowledges that breaches related to thefts or other
criminal activity are not the fault of the covered entity
maintaining the information, OCR has still penalized these entities
for failing to adopt appropriate measures to identify and mitigate,
before the fact, the risks of these criminal acts.
This was the case with Hospice of North Idaho, where there was
no evidence that the information contained on the laptop was
inappropriately accessed or used for any malicious purpose.
Further, according to the hospice, it appropriately investigated
the incident and adopted mitigation measures to lessen its impact.
The hospice performed a thorough risk assessment, increased
security measures on equipment containing PHI, and adopted stronger
security policies and procedures following the incident. It sent
appropriate breach notification letters to patients, and offered
families of deceased patients family support through the assignment
of a personal recovery advocate. In other words, it took every
measure it could to lessen the harmful effects of the breach. The
hospice was still penalized, however, due to the fact that it had
not performed a security assessment or adopted appropriate security
policies prior to the time at which the breach occurred. In the
words of OCR Director Leon Rodriguez, "This action sends a
strong message to the health care industry that, regardless of
size, covered entities must take action and will be held
accountable for safeguarding their patients' health
Rodriguez also noted that "Encryption is an easy method for
making lost information unusable, unreadable and
undecipherable." This statement implies that OCR may be moving
closer to viewing encryption for laptops as an industry standard.
Although many entities have experienced difficulties in adopting
encryption as their standard for communications, the fact that OCR
may view encryption as an "easy method" for protection
indicates that covered entities may, by necessity, need to adopt
this level of protection in the future.
Remember how Medtronic, Inc. v. Lohr, 518 U.S. 470 (1996), dismissed the §510k "substantially equivalence" medical device clearance as non-preemptive because it was supposedly "focused on equivalence, not safety"? Id. at 493.
The US Food and Drug Administration (FDA) related portions of the 21st Century Cares Act, found in title III, establish a streamlined process for the exemption of certain Class I and II devices from the premarket notification requirement and allow for the establishment of revised regulatory standards for accessories to high-risk devices.
Hospitals are commonly named as defendants in medical malpractice lawsuits for claims arising from alleged injuries within their walls, but what is their exposure to liability for claims that arise from alleged sexual assaults by staff on their premises?
Eric Fader was quoted in a November 9 article, "Incoming Trump Administration May Mean Less Funding for HIPAA Audits," in Bloomberg BNA's Health Care Fraud Report. Eric said that the incoming Trump administration may eventually be forced to reduce funding for some healthcare initiatives to pay for other priorities, such as large tax cuts and increased spending on the military.
Title III of the 21st Century Cures Act includes portions of the FDA Device Accountability Act of 2015, Promoting Biomedical Research and Public Health for Patients Act, and FDA and NIH Workforce Authorities Modernization Act.
A February 2 article in Bloomberg BNA's Privacy Law Watch and other publications, "Hospital Hit With $3.2M Penalty for Ongoing Health Data Security Lapses," reported that Children's Medical Center of Dallas received a $3.2 million civil money penalty after years of noncompliance with HIPAA rules and after failing to request a hearing on the penalty.
The 21st Century Cures Act includes portions of the Helping Families in Mental Health Crisis Reform Act of 2016, which was approved by the US House of Representatives in July 2016, but not advanced by the Senate.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).