HHS assesses first fine for data breach affecting fewer than 500

An Idaho hospice became the first organization to pay a settlement to the U.S. Department of Health & Human Services for a breach of electronic protected health information affecting fewer than 500 people.

The Hospice of North Idaho agreed to pay HHS $50,000 to settle the potential violation of the Health Insurance Portability and Accountability Act of 1996, according to an HHS announcement. The breach occurred in June 2010 when a laptop containing unencrypted ePHI was stolen from the hospice, according to the announcement. The HHS Office for Civil Rights found that the hospice had not conducted a risk analysis to safeguard ePHI, and did not have policies in place to address mobile-device security, as required by the HIPAA Security Rule.

Hospice of North Idaho has since taken "extensive additional steps" to improve compliance, according to HHS.

"This action sends a strong message to the health care industry that, regardless of size, covered  entities must take action and will be held accountable for safeguarding their patients' health information." OCR Director Leon Rodriguez said. "Encryption is an easy method for making lost information unusable, unreadable and undecipherable."

Security breaches involving 500 or more individuals must be reported to HHS within 60 days, but smaller breaches are reportable only once a year.

Despite attention to the issue, significant breaches of patient information continue to occur. Major breaches recently were reported by Gibson General Hospital in Princeton, Ind.; the University of Michigan Health System; Louisiana State University Health System; and the state of Kentucky's Medicaid system. The Indiana hospital case involved the theft of a laptop containing personal information for roughly 29,000 patients.

A recent Washington Post investigation found the healthcare industry was highly vulnerable to hacking.

To learn more:
- read the HHS announcement
- here's the agreement