OFFICE OF CIVIL RIGHTS RINGS IN NEW YEAR WITH SIGNIFICANT HIPAA DATA BREACH SETTLEMENT

The HHS’ Office of Civil Rights (OCR) announced today that The Hospice of North Idaho has agreed to pay a $50,000 settlement for violations of the HIPAA Security Rule.  OCR made a point of announcing that the settlement is the first one that involves a breach of unprotected PHI affecting fewer than 500 individuals.   In June 2010, an unencrypted laptop computer was stolen from the provider.   A subsequent OCR investigation determined that the health care provider had no policies or procedures in place for data security.

Health care providers and their insurance carriers should remember that while a breach affecting more than 500 individuals must be reported within 60 days, breaches of less than 500 individuals must still be reported on an annual basis.   OCR is clearly sending a message at the start of the year that all health care providers must have proper data security procedures or run the risk of future penalties and fines.

This settlement demonstrates that data breaches, no matter the size, can result in significant costs and negative publicity for entities that are not properly prepared for a breach.