Enforcement action sends a strong message to the healthcare industry and reaffirms the need for security risk analysis and mobile-device security policies and procedures.
On January 2, the U.S. Department of Health and Human Services (HHS) announced its first settlement for a security breach involving fewer than 500 patients under the Health Insurance Portability and Accountability Act (HIPAA). The HHS Office for Civil Rights (OCR) reached a $50,000 settlement and two-year corrective action plan with the Hospice of North Idaho (HONI), resulting from a stolen unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients.
The settlement is significant because it reaffirms, consistent with other recent OCR actions, that HIPAA-covered entities, regardless of the size of the organization, should conduct a formal security risk analysis and implement policies and procedures with respect to mobile-device security. Based on its investigation, OCR noted that HONI had failed to conduct a security risk analysis or adopt mobile-device policies and procedures. In its press release, OCR emphasized the importance of encrypting data, noting that it is "an easy method for making lost information unusable, unreadable and undecipherable."
In reaching this settlement, OCR noted that it is sending "a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information." The $50,000 resolution amount is less than other recent OCR settlements with larger organizations, suggesting that OCR may take the size of the entity into account in crafting a settlement.
In its press release, OCR also highlighted its new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information, which offers practical tips for healthcare providers and organizations on ways to protect ePHI when using mobile devices, such as laptops, tablets, and smartphones. Because breaches are often caused by the loss or theft of mobile devices, HIPAA-covered entities would be well served to develop security policies and procedures specifically addressing this risk area.
The HONI settlement demonstrates that even smaller HIPAA-covered entities, and even those as seemingly sympathetic as a small not-for-profit hospice organization, may be subject to OCR enforcement actions. Since the September 2009 compliance date of the Health Information Technology for Economic and Clinical Health (HITECH) Act interim final breach notification rule, OCR has received thousands of mandated reports with respect to breaches involving fewer than 500 patients. The HONI settlement suggests that OCR may be combing through even these smaller breach notifications for potential settlements and enforcement actions.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis attorneys:
Howard J. Young