HIPAA Regulatory Alert: Hospice pays $50,000 settlement

First-time breach of less than 500 records fined

The Office of Civil Rights (OCR) has issues its first fine of a small organization with a breach of fewer than 500 patient records. Hospice of North Idaho in Hayden will pay a $50,000 fine for the June 2010 theft of an unencrypted laptop containing the electronic protected health (ePHI) information of 441 patients.

The settlement agreement between the OCR and the hospice notes that the organization failed to meet the standards in two ways:

• The hospice did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI on an ongoing basis.

• The hospice did not adequately adopt or implement security measures sufficient to ensure the confidentiality of ePHI on portable devices.

To see a copy of the Hospice of North Idaho Settlement Agreement, go to www.hhs.gov/ocr/privacy/hipaa/enforcement. Scroll down to “Case Examples and Resolution Agreements,” and select the Dec. 31, 2012, entry “HHS announces first HIPAA breach settlement involving less than 500 patients.”