HHS Announces First HIPAA Breach Settlement Affecting Less Than 500 Individuals

By Karen Painter Randall

HHS announced that the Hospice of North Idaho (HONI) agreed to pay $50,000 and enter into a CAP as part of a settlement involving a breach of unsecured ePHI.  This was significant in that it was the first settlement by HHS involving a breach affecting less than 500 individuals. 

In or around February 2011, HONI self-reported that an unencrypted laptop containing ePHI of 441 patients was stolen in June 2010.   In response, an investigation into the breach indicated that HONI failed to conduct a risk analysis of the security of ePHI transmitted using portable devices, and failed to adopt or implement sufficient measures to ensure the confidentiality of ePHI transmitted using portable devices “to a reasonable and appropriate level.”  HIPAA requires that breaches of unsecured PHI affecting 500 or more individuals be reported to the Secretary of HHS and the media within 60 calendar days after discovery of a breach.  Covered entities must also maintain a log of breaches of unsecured PHI affecting fewer than 500 individuals each year and must disclose such breaches annually to the Secretary of HHS no later than 60 days following the end of each calendar year. 

The settlement with HONI sends the message to the healthcare industry that HHS-OCR is investigating even relatively smaller disclosed breaches of unsecured PHI to identify and penalize noncompliance with HIPAA.  Moreover, it confirms HHS-OCR’s lack of tolerance for the storage of ePHI on unencrypted portable devices.