HHS announces first settlement in smaller data breach

In less than three years, around 60,500 "smaller" healthcare data breaches—each affecting the records of fewer than 500 individuals—occurred across the country, and the federal government is setting its sights on providers implicated in these incidents.

HHS' Office for Civil Rights has reached a $50,000 settlement agreement with Hospice of North Idaho, based in Hayden, a suburb of Coeur D'Alene, pertaining to the hospice's 2010 loss of a laptop computer that contained the records of 441 patients. The Civil Rights Office described the settlement as the first stemming from a Health Insurance Portability and Accountability Act security-rule violation for a breach affecting fewer than 500 individuals.

"This action sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information," said Leon Rodriguez, director of the Civil Rights Office, in a news release. "Encryption is an easy method for making lost information unusable, unreadable and undecipherable."

Hospice of North Idaho routinely uses laptop computers in the field, the Civil Rights Office said in the release, but "did not have in place policies or procedures to address mobile device security as required by the HIPAA security rule." It also had not conducted a HIPAA-mandated risk analysis to safeguard electronic protected health information, according to the release.

The American Recovery and Reinvestment Act of 2009 requires hospitals, physicians and other HIPAA-covered entities to report data breaches—regardless of size—to the Civil Rights Office. However, the Civil Rights Office divides breaches into two categories: those affecting 500 or more individuals, and those affecting fewer than 500. The Civil Rights Office posts on its website only breaches affecting more than 500 people, and thus far providers involved in smaller breaches have escaped its cross hairs in terms of enforcement actions.

Since September 2009, 525 larger breaches, involving the potential exposure of records for a total of more than 21.4 million individuals, have been posted to the Civil Rights Office's website. Through the end of 2011, according to a Civil Rights Office spokesperson, there were 60,500 or so smaller breaches. More up-to-date data on smaller breaches was unavailable.

In September, CMS rule writers sought to further nudge providers toward the use of encryption by specifically mentioning the security benefits of the technology in their Stage 2 meaningful-use rules. They also added completion of a HIPAA risk assessment in which encryption must be addressed—albeit not required—as a criterion providers must meet to get paid under the Medicare and Medicaid electronic health-record incentive payment programs.