Skip to content
DWT logo
People Services Insights
About Offices Careers
Search
People
Services
Insights
About
Offices
Careers
Search
Advisories
Healthcare

Small Data Breach Leads to $50,000 HHS Settlement for Hospice

By Adam H. Greene
01.02.13
Share
Print this page

In what HHS declares as “the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals,” the Office for Civil Rights (OCR) reached a $50,000 settlement and two-year corrective action plan with the Hospice of Northern Idaho regarding the theft of a hospice laptop containing health information of 441 patients. (Only in the world of HIPAA can you have “unprotected … protected” information.) OCR’s press release, continuing a recent trend, emphasized the importance of encrypting mobile devices, conducting a risk analysis, and implementing policies and procedures to address mobile device security.

The press release also emphasizes that OCR is willing to take aggressive actions against entities of any size that fail to safeguard patient information. The $50,000 resolution amount, though, is far below the average of approximately $900,000, suggesting that the size of the organization will play a much larger role than the nature of the incident when determining settlement amounts. For example, OCR recently reached a settlement of $100,000 with a small physician practice for an allegedly widespread lack of information security safeguards, while it reached a $1.5 million settlement with a larger hospital over a relatively small breach and more narrow information security issues.

OCR reportedly has received tens of thousands of small breach reports since the interim final breach notification rule’s compliance date of September 2009. This appears to be the first of such breach reports that has led to a settlement. It begs the question of whether other types of small breaches will lead to settlements, such as cases of employee “snooping.”

One final note is that of OCR’s 11 settlements related to HIPAA, this is the fifth from Region X (Seattle). Although there are 10 OCR regional offices, 45 percent of the settlements have come from the Seattle regional office.

Related Articles

06.13.25
Insights
Healthcare
Oregon SB 951: New Restrictions on the Corporate Practice of Medicine in Oregon Read More
05.22.25
Insights
White Collar, Investigations & Government Controversies
DOJ Criminal Division Reveals New White-Collar Crime Enforcement Priorities and Corporate Enforcement Policies Read More
05.20.25
Presentations
Healthcare
Healthcare Industry Summit 2025 Read More
DWT logo
©1996-2025 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Not intended as legal advice. Prior results do not guarantee a similar outcome.
Media Kit Affiliations Legal notices
Privacy policy Employees DWT Collaborate EEO
SUBSCRIBE
©1996-2025 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Not intended as legal advice. Prior results do not guarantee a similar outcome.