A small nonprofit hospice in Idaho became the first healthcare
provider to settle a potential violation of the HIPAA Security Rule
affecting fewer than 500 individuals. On January 2, 2013, Hospice
of North Idaho agreed to a settlement in the amount of $50,000 with
the Department of Health and Human Services, Office of Civil Rights
(OCR) following an investigation relating to a 2010 breach
involving a stolen, unencrypted laptop containing patient
The settlement was notable in that it related not to the breach
itself, but to the fact that the hospice had not adopted
appropriate security policies or procedures to address mobile
device security and had not conducted a security risk analysis to
safeguard protected health information (PHI). The HIPAA Security
Rule requires covered entities to perform risk analyses to identify
potential vulnerabilities and to adopt plans to address these
vulnerabilities and reduce the risk of their exploitation. While
OCR typically acknowledges that breaches related to thefts or other
criminal activity are not the fault of the covered entity
maintaining the information, OCR has still penalized these entities
for failing to adopt appropriate measures to identify and mitigate,
before the fact, the risks of these criminal acts.
This was the case with Hospice of North Idaho, where there was
no evidence that the information contained on the laptop was
inappropriately accessed or used for any malicious purpose.
Further, according to the hospice, it appropriately investigated
the incident and adopted mitigation measures to lessen its impact.
The hospice performed a thorough risk assessment, increased
security measures on equipment containing PHI, and adopted stronger
security policies and procedures following the incident. It sent
appropriate breach notification letters to patients, and offered
families of deceased patients family support through the assignment
of a personal recovery advocate. In other words, it took every
measure it could to lessen the harmful effects of the breach. The
hospice was still penalized, however, due to the fact that it had
not performed a security assessment or adopted appropriate security
policies prior to the time at which the breach occurred. In the
words of OCR Director Leon Rodriguez, "This action sends a
strong message to the health care industry that, regardless of
size, covered entities must take action and will be held
accountable for safeguarding their patients' health
Rodriguez also noted that "Encryption is an easy method for
making lost information unusable, unreadable and
undecipherable." This statement implies that OCR may be moving
closer to viewing encryption for laptops as an industry standard.
Although many entities have experienced difficulties in adopting
encryption as their standard for communications, the fact that OCR
may view encryption as an "easy method" for protection
indicates that covered entities may, by necessity, need to adopt
this level of protection in the future.
While some may consider improper multiple dependent claims as failing to comply with a mere formality, this case serves as a reminder that a court may consider any statutory requirement when assessing patent validity.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
While at first pass the case focuses on a small set of insurance policies, this decision could have broader implications on the individual market and further threaten the sustainability of the risk pools.
The Centers for Medicare & Medicaid Services and the Office of Inspector General have reviewed the use of Modifier 25 to unbundle payments for evaluation and management services when a procedure is performed.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).