On January 2, 2013, the Department of Health and Human Services (HHS) fined the Hospice of North Idaho $50,000 for violations of the Health Insurance Portability and Accountability Act (HIPAA). The primary violation was the loss of an unencrypted laptop containing Personal Health Information (PHI) for 441 patients, but the penalty included non-compliance areas such as the hospice’s failure to perform a risk analysis and the lack of mobile device security policies and procedures. This is the first HIPAA fine issued for a breach of PHI from less than 500 patients.
HHS Office of Civil Rights Director, Leon Rodriguez, made it clear in his statement on the breach that HHS will hold businesses responsible for protecting PHI irrespective of their size. “This action sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”
This comes as shocking news to some who assumed that HHS would not take action on smaller breaches which comprise the majority of healthcare breaches. According to the December 2012 U.S. Healthcare Data Breach Trends report, there have been only 500 breaches reported to HHS over the last three years involving more than 500 patients but the same period has seen 57,000 breaches involving less than 500 patients. These businesses should be prepared not only for the cost of notification, lost customers, breach response, and remediation but also HHS fines in the years ahead.