On January 2, 2013, the HHS Office for Civil Rights (“OCR”) announced its first settlement and corrective action plan following a breach affecting fewer than 500 individuals. The Hospice of North Idaho (“HONI”) has agreed to pay $50,000 to settle potential violations of the HIPAA Security Rule following the theft of an unencrypted laptop containing electronic Protected Health Information (“ePHI”) for 441 patients. Significantly, this is the third settlement in six months involving unencrypted portable devices.
In addition to the requirement to report breaches affecting more than 500 patients “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach,” which are publicized on OCR’s website, Covered Entities must also maintain a log of all breaches affecting less than 500 patients and submit this information to OCR within 60 calendar days after the end of each calendar year. On February 16, 2011, HONI reported the theft to OCR, which commenced an OCR investigation on July 22, 2011. According to OCR, its investigation revealed that HONI had failed to conduct a risk analysis to safeguard ePHI and did not have in place policies and procedures to address mobile device security as required by the HIPAA Security Rule.
Following the $1.7 million settlement in June with the Alaska Department of Health and Social Services and the Massachusetts Eye and Ear Infirmary’s $1.5 million settlement in September, this settlement reinforces the practical necessity of encryption, which Leon Rodriguez, Director of OCR, describes as “an easy method for making lost information unusable, unreadable and undecipherable.” Easy or not, as providers face a health care environment that increasingly relies upon portable devices, encryption remains the primary answer to security risks. Furthermore, it remains the best first defense against the expensive and reputation damaging reality of notifying patients and OCR that a breach has occurred.
Beyond emphasizing the importance of encryption, OCR’s recent enforcement trends also make it clear that Covered Entities (and given the import of the forthcoming final HITECH regulation, Business Associates) should consider the Security Rule risk analysis to be the central component to Security Rule compliance. Although a risk analysis may require Covered Entities and Business Associates to spend significant resources, OCR plainly views it to be critical.
In addition to the $50,000 settlement, the Resolution Agreement between HONI and OCR included a corrective action plan, which requires HONI to investigate any report that a workforce member may have failed to comply with HONI’s Privacy and Security policies and procedures and report actual violations to OCR within 30 days. HONI did not admit any liability in the agreement and OCR did not concede that HONI was not liable for civil monetary penalties.
Additional information about OCR’s enforcement activities can be found here.