HHS and HONI Settle ePHI Breach Affecting Less Than 500 Individuals for $50,000

HHS and the Hospice of North Idaho (HONI) have agreed to the first ever settlement involving a breach of unprotected electronic protected health information (ePHI) affecting less than 500 individuals. Under the terms of the agreement, HONI has agreed to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) Security Rule for $50,000. The HIPAA Security Rule created a set of security standards for the confidentiality, integrity, and availability of ePHI that applies to covered entities. Covered entities include health care providers and professionals who transmit electronic health information in relation to certain transactions. A copy of the resolution agreement between HHS and HONI is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.pdf

HHS Investigation

The investigation began when HONI reported to the HHS’ Office of Civil Rights (OCR) an unencrypted laptop computer had been stolen in June, 2010. HHS’ investigation found that HONI staff regularly used laptops as part of their fieldwork; however, HONI had failed to do risk analysis to protect the ePHI contained in the laptop computers. HHS also found that HONI had violated the HIPAA Security Rule because it did not have any organizational policies or procedures to deal with security issues posed by mobile devices. The Health Information Technology for Economic and Clinical Health (HITECH) (P.L. 111-5) Breach Notification Rule requires covered entities to report to the HHS Secretary within 60 days impermissible uses or disclosures of protected information, or “breaches,” when 500 or more individuals are concerned. In cases where breaches affect less than 500 individuals, reports must be submitted to the HHS Secretary annually.

Provider Education

The HHS’ Office of the National Coordinator for Health Information Technology (ONC) and the OCR is offering providers and covered entities educational tips and guidance on how to protect ePHI on mobile devices. The www.healthit.gov site provides several links that providers can use to learn about protecting and securing mobile devices, steps organizations can take to manage mobile devices, and a list of frequently asked questions. There are also downloadable materials that include fact sheets and a presentation titled Mobile Devices: Know the RISKS, Take the STEPS, PROTECT and SECURE Health Information to help providers protect ePHI on tablets, smartphones, and laptops.