Share this article on:
Under Health Insurance Portability and Accountability Act (HIPAA) regulations, healthcare organizations are required to report data breaches involving more than 500 individuals to the Office of Civil Rights and financial penalties apply for HIPAA violations; however security breaches involving fewer individuals can still result in fines being issued.
In 2010, a laptop computer was stolen from a community non-profit hospice in Hayden, North Idaho. The laptop contained the PHI of 441 patients including Social Security numbers, medical test results, diagnoses, medications issued and other protected patient information. The laptop was issued to a nurse from the he Hospice of North Idaho who took the device home with her at the weekend and left it in her car where it was subsequently stolen.
When data breaches involve more than 500 patients the incident must be reported to the OCR promptly; however since this incident involved just 441 patients, the report of the theft and data breach was not provided to the OCR until the year end; as required under HIPAA breach notification rules.
Upon discovery of the theft and potential exposure of patient data, the hospice conducted an investigation and implemented strategies to mitigate any damage caused. This involved contacting all 441 patients to advise them that the data had potentially been viewed and free credit monitoring services were offered to the patients concerned. The families of deceased patients were assigned a personal recovery advocate and given family support.
A risk assessment was conducted following the theft and industry experts were employed to assess the IT systems at the hospice. The services which were being outsourced at the time that the theft took place were also replaced. While all reasonable steps were taken to mitigate the damage caused by the breach and to comply with HIPAA regulations, when the OCR conducted its investigation non-compliance issues were discovered.
The OCR determined that no risk assessment had taken place prior to the theft, which was a direct breach of HIPAA regulations. Additionally the hospice had failed to implement appropriate policies and procedures in accordance with the HIPAA Security Rule and did not take sufficient actions to protect data held on mobile devices.
Negotiations between the hospice and the OCR resulted in a settlement of $50,000 being reached, with the relatively small fine issued due to the prompt action taken by the hospice to address substandard data security. The fine could have been substantially higher, although $50K is a considerable cost to cover by a small non-profit organization. It will now have to conduct an extensive fundraising campaign to recover the loss.
The OCR also issued a corrective action plan with a requirement that any future data breaches – of any size – be reported to the OCR within 30 days, which must also be accompanied by details of the actions taken to mitigate the damage caused.
This incident should serve as a reminder to healthcare organizations of all sizes that a failure to comply with HIPAA guidelines, including the Security Rule, will result in financial penalties being issued far in excess of the cost of ensuring HIPAA compliance in the first place. It also demonstrates the vigor with which the OCR is pursuing offenders and enforcing regulations.