50K Penalty After 441-Patient HIPAA Breach

According to Health Insurance Portability and Accountability Act (HIPAA) regulations, healthcare organizations must report data violations involving more than 500 people to the Office of Civil Rights and financial sanctions apply for HIPAA breaches; however security breaches involving fewer people can still result in fines being applied.

In 2010, a laptop computer was illegally obtained from a community non-profit hospice in Hayden, North Idaho. The laptop stored the PHI of 441 patients including Social Security numbers, medical test details, diagnoses, medications issued and other protected patient information. The laptop was given to a nurse from the Hospice of North Idaho who took it home with her at the weekend and left it in her car where it was then taken from.

When data breaches affect more than 500 patients the incident must be mad known to the OCR promptly; however since this incident involved just 441 patients, the report of the theft and data breach was not provided to the OCR until the year end; as required under HIPAA breach notification regulations.

Upon identification of the theft and potential exposure of patient data, the hospice carried out an investigation and put in place strategies to mitigate any damage caused. This involved getting in touch with all 441 patients to tell them that the data had possibly been viewed and free credit monitoring services were provided to the patients concerned. The families of deceased patients were assigned a personal recovery counselor and given family support.

A risk assessment was completed following the theft and industry experts were employed to review the IT systems at the hospice. The services which were being outsourced at the time that the theft happened were also replaced. While all reasonable steps were taken to lessen the damage caused by the breach and to adhere with HIPAA regulations, when the OCR conducted its investigation non-compliance issues were noticed.

The OCR ruled that no risk assessment had taken place before the theft, which was a direct breach of HIPAA regulations. Additionally the hospice had not to implemented appropriate policies and procedures in line with the HIPAA Security Rule and did not take adequate actions to protect data stored on mobile devices.

Negotiations between the hospice and the OCR lead to a settlement of $50,000 being agreed, with the relatively small fine issued due to the prompt action taken by the hospice to address poor data security. The fine could have been much higher, although $50K is a  significant cost to cover by a small non-profit organization. It will now have to  carry out an extensive fundraising campaign to recover the loss.

The OCR also implemented a corrective action plan with a requirement that any future data breaches – of any size – be made known to the OCR within 30 days, which must also be accompanied by specific details of the actions taken to mitigate the damage inflicted.

This incident should serve as a warning to healthcare organizations of all sizes that a failure to adhere with HIPAA guidelines, including the Security Rule, will lead to financial penalties being issued far in excess of the cost of ensuring HIPAA compliance initially. It also shows the massive effort with which the OCR is pursuing offenders and enforcing regulations.