Small Data Breach Leads to $50,000 HHS Settlement for Hospice

In what HHS declares as “the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals,” the Office for Civil Rights (OCR) reached a $50,000 settlement and two-year corrective action plan with the Hospice of Northern Idaho regarding the theft of a hospice laptop containing health information of 441 patients. (Only in the world of HIPAA can you have “unprotected … protected” information.) OCR’s press release, continuing a recent trend, emphasized the importance of encrypting mobile devices, conducting a risk analysis, and implementing policies and procedures to address mobile device security.

The press release also emphasizes that OCR is willing to take aggressive actions against entities of any size that fail to safeguard patient information. The $50,000 resolution amount, though, is far below the average of approximately $900,000, suggesting that the size of the organization will play a much larger role than the nature of the incident when determining settlement amounts. For example, OCR recently reached a settlement of $100,000 with a small physician practice for an allegedly widespread lack of information security safeguards, while it reached a $1.5 million settlement with a larger hospital over a relatively small breach and more narrow information security issues.

OCR reportedly has received tens of thousands of small breach reports since the interim final breach notification rule’s compliance date of September 2009. This appears to be the first of such breach reports that has led to a settlement. It begs the question of whether other types of small breaches will lead to settlements, such as cases of employee “snooping.”

One final note is that of OCR’s 11 settlements related to HIPAA, this is the fifth from Region X (Seattle). Although there are 10 OCR regional offices, 45 percent of the settlements have come from the Seattle regional office.