HHS Settles First Small Data Breach Case at Medical Practice

Kaufman Rossin | Featured in American Medical News | January 15, 2013

For the first time, the Dept. of Health and Human Services has reached a settlement over a data breach that affected fewer than 500 people, reinforcing its message that no medical practice is too small to be held accountable for not following privacy and security laws.

On Jan. 2, Hospice of North Idaho settled a 2010 security case by agreeing to pay $50,000 to HHS. The case stemmed from a stolen laptop with unencrypted data containing the protected health information of 441 patients.

HHS reached the agreement after a long investigation by its Office for Civil Rights, which found that the practice never conducted a risk assessment to safeguard patient data, a requirement under the Health Insurance Portability and Accountability Act. The agency also found that there were no policies and procedures to address mobile security, despite the fact that the practice routinely uses laptops as part of its field work.

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information,” Office for Civil Rights Director Leon Rodriguez said in a statement.

Because the breach did not involve more than 500 patients, the practice was not required to make immediate notification to HHS and the media, as required under the Health Information Technology for Economic and Clinical Health Act. Smaller cases must be reported to HHS on an annual basis.

The settlement was not an admission of guilt by Hospice of North Idaho, but the practice said it took the incident “very seriously.”

“The theft of the laptop was out of our hands, but the measures we have taken since then to ensure the security and privacy of our patients’ information have been numerous,” said Brenda Wild, board president of Hospice of North Idaho. Those steps included encrypting data on all mobile devices and conducting regular HIPAA training.

An Office for Civil Rights website highlights settlement agreements as a way to send warnings to other health care organizations (hhs.gov/ocr/privacy/hipaa/enforcement/examples/).

The first major settlement with a small practice, reached in April 2012 with Phoenix Cardiac Surgery, is one example. The practice agreed to pay $100,000 to settle charges that it didn’t take adequate steps to protect patient data when an investigation discovered that an online scheduling system was making protected health information publicly available.

Problems with mobile security

The Hospice of North Idaho case not only highlights the Office for Civil Rights’ message to small practices, but it also underscores the importance of mobile security, the safeguard against many health data breaches.

A report published in August 2012 by South Florida accounting firm Kaufman Rossin found that 50% of breaches in 2011 were from laptops or other compromised locations that included all mobile devices. Many experts say the rise in mobile device use is causing more vulnerabilities.

Continue reading this data breach article at amednews.com.