A small nonprofit hospice in Idaho became the first healthcare
provider to settle a potential violation of the HIPAA Security Rule
affecting fewer than 500 individuals. On January 2, 2013, Hospice
of North Idaho agreed to a settlement in the amount of $50,000 with
the Department of Health and Human Services, Office of Civil Rights
(OCR) following an investigation relating to a 2010 breach
involving a stolen, unencrypted laptop containing patient
The settlement was notable in that it related not to the breach
itself, but to the fact that the hospice had not adopted
appropriate security policies or procedures to address mobile
device security and had not conducted a security risk analysis to
safeguard protected health information (PHI). The HIPAA Security
Rule requires covered entities to perform risk analyses to identify
potential vulnerabilities and to adopt plans to address these
vulnerabilities and reduce the risk of their exploitation. While
OCR typically acknowledges that breaches related to thefts or other
criminal activity are not the fault of the covered entity
maintaining the information, OCR has still penalized these entities
for failing to adopt appropriate measures to identify and mitigate,
before the fact, the risks of these criminal acts.
This was the case with Hospice of North Idaho, where there was
no evidence that the information contained on the laptop was
inappropriately accessed or used for any malicious purpose.
Further, according to the hospice, it appropriately investigated
the incident and adopted mitigation measures to lessen its impact.
The hospice performed a thorough risk assessment, increased
security measures on equipment containing PHI, and adopted stronger
security policies and procedures following the incident. It sent
appropriate breach notification letters to patients, and offered
families of deceased patients family support through the assignment
of a personal recovery advocate. In other words, it took every
measure it could to lessen the harmful effects of the breach. The
hospice was still penalized, however, due to the fact that it had
not performed a security assessment or adopted appropriate security
policies prior to the time at which the breach occurred. In the
words of OCR Director Leon Rodriguez, "This action sends a
strong message to the health care industry that, regardless of
size, covered entities must take action and will be held
accountable for safeguarding their patients' health
Rodriguez also noted that "Encryption is an easy method for
making lost information unusable, unreadable and
undecipherable." This statement implies that OCR may be moving
closer to viewing encryption for laptops as an industry standard.
Although many entities have experienced difficulties in adopting
encryption as their standard for communications, the fact that OCR
may view encryption as an "easy method" for protection
indicates that covered entities may, by necessity, need to adopt
this level of protection in the future.
My New Year's resolutions will likely be broken early and often in 2016. My consequences are mostly nonmonetary: a few more pounds, a little less savings, and not winning the triathlon in my age group.
Employers with more than 50 employees are usually aware that the Family Medical Leave Act (FMLA) may apply to their business and their workers. That law, which provides for protected leave for employees in certain situations and various amounts, can sound simple but is very complex in its details.
For the second time in less than a year, the U.S. Department of Justice (DOJ) has filed an antitrust complaint against hospital systems that agreed to not advertise on billboards or in print in each other's home county.
Arguing that the current state of the law weakens the patent system and poses a danger to life science innovators, biotechnology company, Sequenom, Inc., has filed a writ of certiorari with the U.S. Supreme Court, asking the Court to provide clarification regarding the limits of 35 U.S.C. § 101 as it relates to patent eligibility of diagnostic tests.