Idaho Hospice Settles Alleged HIPAA Security Rule Violations with HHS

The Hospice of North Idaho has agreed to pay $50,000 to settle allegations with the U.S. Department of Health and Human Services that it violated the HIPAA Security Rule by losing a laptop containing unencrypted personal health information of 441 patients. The settlement is the first of its kind involving a breach affecting fewer than 500 individuals. HHS determined that the Hospice of North Idaho had not conducted a security risk analysis as required by the Security Rule, and that the hospice failed to have policies and procedures to address the possibility of losing patient health information. The hospice also allegedly did not evaluate the potential or impact of risks of losing confidential information it contained on portable electronic devices. The hospice has entered into a two-year corrective action plan with HHS as an additional requirement of the settlement.     

TIP: This settlement is a reminder that organizations of all sizes should make sure that if the HIPAA Security Rule applies to them, they have policies and procedures in place to maintaining data security of covered health information. These procedures should include conducting a security risk analysis as required under the Rule. 

This tip has been created for information and planning purposes. They are not intended to be, nor should they be substituted for, legal advice, which turns on specific facts.