A small nonprofit hospice in Idaho became the first healthcare
provider to settle a potential violation of the HIPAA Security Rule
affecting fewer than 500 individuals. On January 2, 2013, Hospice
of North Idaho agreed to a settlement in the amount of $50,000 with
the Department of Health and Human Services, Office of Civil Rights
(OCR) following an investigation relating to a 2010 breach
involving a stolen, unencrypted laptop containing patient
The settlement was notable in that it related not to the breach
itself, but to the fact that the hospice had not adopted
appropriate security policies or procedures to address mobile
device security and had not conducted a security risk analysis to
safeguard protected health information (PHI). The HIPAA Security
Rule requires covered entities to perform risk analyses to identify
potential vulnerabilities and to adopt plans to address these
vulnerabilities and reduce the risk of their exploitation. While
OCR typically acknowledges that breaches related to thefts or other
criminal activity are not the fault of the covered entity
maintaining the information, OCR has still penalized these entities
for failing to adopt appropriate measures to identify and mitigate,
before the fact, the risks of these criminal acts.
This was the case with Hospice of North Idaho, where there was
no evidence that the information contained on the laptop was
inappropriately accessed or used for any malicious purpose.
Further, according to the hospice, it appropriately investigated
the incident and adopted mitigation measures to lessen its impact.
The hospice performed a thorough risk assessment, increased
security measures on equipment containing PHI, and adopted stronger
security policies and procedures following the incident. It sent
appropriate breach notification letters to patients, and offered
families of deceased patients family support through the assignment
of a personal recovery advocate. In other words, it took every
measure it could to lessen the harmful effects of the breach. The
hospice was still penalized, however, due to the fact that it had
not performed a security assessment or adopted appropriate security
policies prior to the time at which the breach occurred. In the
words of OCR Director Leon Rodriguez, "This action sends a
strong message to the health care industry that, regardless of
size, covered entities must take action and will be held
accountable for safeguarding their patients' health
Rodriguez also noted that "Encryption is an easy method for
making lost information unusable, unreadable and
undecipherable." This statement implies that OCR may be moving
closer to viewing encryption for laptops as an industry standard.
Although many entities have experienced difficulties in adopting
encryption as their standard for communications, the fact that OCR
may view encryption as an "easy method" for protection
indicates that covered entities may, by necessity, need to adopt
this level of protection in the future.
Recent enforcement actions by the Department of Health and Human Services, Office of Civil Rights underscore a continued focus on compliance with the Health Insurance Portability and Accountability Act and its implementing regulations, particularly the Security Rule.
Last Sunday’s New York Times article by Anemona Hartocollis on the illegality of posting baby pictures in a doctor’s office made me wonder if anyone I know could pick my kids’ faces out of a line up of cute newborn photos posted on the wall of a doctor’s office.
In the world of healthcare policy and law, we usually discuss issues impacting providers, but don’t often report about the training and infrastructure behind what allows our healthcare system to treat patients in our facilities.
CMS's long-awaited fingerprint-based background check screening process is underway for certain "high-risk" providers and suppliers participating in federal health care programs (specifically, Medicare, Medicaid, and the Children’s Health Insurance Program).