It appears that the US Department of Health and Human Services (HHS) is getting more aggressive in enforcing HIPAA regulations. Recently a hospice facility in Idaho was fined $50,000 for a breach involving 441 patients. It was the first settlement by HHS for a HIPAA data breach of less than 500 patients’ records.
The cause of the breach was a stolen laptop containing unencrypted data. Encryption is a basic security technique which every business should utilize, and especially firms that have highly sensitive information – like health records and Social Security numbers – in their custody.
Article Excerpt:
Read Entire ArticleOn January 2, 2013, the U.S Department of Health and Human Services, Office of Civil Rights (OCR) announced its first HIPAA breach settlement involving less than 500 patients. OCR took action against a hospice provider in Idaho that had a laptop stolen containing health information on 441 patients. The provider was required to pay OCR a fine of $50,000 and enter into a corrective action plan to settle the investigation.
OCR Allegations
The mere fact that a laptop was stolen was not the only reason for OCR’s investigation. Instead, OCR alleged that the provider did not “conduct an accurate and thorough analysis of the risk to the confidentiality of [electronic health information] on an on-going basis as part of its security management process….” This included a failure to evaluate potential risks to information as a result of maintaining and transmitting data on mobile devices and take necessary steps to mitigate these risks.