Hospice settles HIPAA case for $50,000

A stolen laptop has resulted in an Idaho hospice organization paying the Department of Health and Human Services $50,000. 

It's the first settlement for a breach of protected health information affecting fewer than 500 individuals under the Health Insurance Portability and Accountability Act Security Rule, according to HHS. 

The computer contained health information for 441 patients. The Hospice of North Idaho, located in Hayden, notified HHS it had been stolen in February 2011. 

The government said the hospice “did not adequately adopt or implement security measures sufficient to ensure the confidentiality of e-PHI that it created, maintained, and transmitted using portable devices.” 

The agreement sends a warning to other healthcare organizations that HHS takes HIPAA seriously, even for small organizations, and that patient health records should be encrypted. It follows other HIPAA cases settled in 2012: The Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. settled with HHS for $1.5 million in September. An unencrypted personal laptop containing the protected health information of patients, such as patient prescription information, had been stolen. The Alaska Department of Health and Human Services settled a HIPAA case with HHS for $1.7 million in June. In that case, an “electronic storage device potentially containing electronic protected health information (e-PHI) was stolen from the vehicle of a DHSS computer technician.” 

Earlier in 2012, HHS settled a HIPAA case with Blue Cross Blue Shield of Tennessee for $1.5 million. 

Hospice of North Idaho entered into a two-year corrective action plan with HHS as part of the settlement, and began implementing increased compliance when the laptop was lost. 

The agreement between the HONI and HHS was signed on Dec. 17.