HIPAA Enforcement for Breach Involving Less than 500 Patients

  • Jan 7 2013

The U.S. Department of Health and Human Services (HHS) initiated a compliance investigation after the Hospice of North Idaho (HONI) reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen.

Pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH), if a breach of unsecured PHI involves less than 500 impacted individuals, a log of the unauthorized disclosure must be maintained and submitted to HHS on an annual basis.

As a result of the investigation, the HHS Office for Civil Rights (OCR) discovered that HONI had not conducted a risk analysis to safeguard ePHI, and did not have written policies or procedures to address mobile device security as required by the HIPAA Security Rule. The HONI agreed to pay the HHS $50,000 to settle the potential violations.

The settlement confirms that the OCR may conduct a compliance investigation in response to these required “self” disclosures.

This post is contributed by Charles Dunham.

Tagged with: , , ,

Posted in: HIPAA, Uncategorized



54 State Street
Albany, NY 12207

tel: 518.462.5601
fax: 518.462.2670

Saratoga Springs

1 Court Street
Saratoga Springs, NY 12866

tel: 518.584.5205
fax: 518.584.5441