HHS settles first small data breach case at medical practice

The agreement underscores the importance of mobile device security and routine risk assessments.

By — Posted Jan. 15, 2013

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

For the first time, the Dept. of Health and Human Services has reached a settlement over a data breach that affected fewer than 500 people, reinforcing its message that no medical practice is too small to be held accountable for not following privacy and security laws.

On Jan. 2, Hospice of North Idaho settled a 2010 security case by agreeing to pay $50,000 to HHS. The case stemmed from a stolen laptop with unencrypted data containing the protected health information of 441 patients.

HHS reached the agreement after a long investigation by its Office for Civil Rights, which found that the practice never conducted a risk assessment to safeguard patient data, a requirement under the Health Insurance Portability and Accountability Act. The agency also found that there were no policies and procedures to address mobile security, despite the fact that the practice routinely uses laptops as part of its field work.

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information,” Office for Civil Rights Director Leon Rodriguez said in a statement.

Because the breach did not involve more than 500 patients, the practice was not required to make immediate notification to HHS and the media, as required under the Health Information Technology for Economic and Clinical Health Act. Smaller cases must be reported to HHS on an annual basis.

The settlement was not an admission of guilt by Hospice of North Idaho, but the practice said it took the incident “very seriously.”

“The theft of the laptop was out of our hands, but the measures we have taken since then to ensure the security and privacy of our patients’ information have been numerous,” said Brenda Wild, board president of Hospice of North Idaho. Those steps included encrypting data on all mobile devices and conducting regular HIPAA training.

An Office for Civil Rights website highlights settlement agreements as a way to send warnings to other health care organizations (link).

The first major settlement with a small practice, reached in April 2012 with Phoenix Cardiac Surgery, is one example. The practice agreed to pay $100,000 to settle charges that it didn’t take adequate steps to protect patient data when an investigation discovered that an online scheduling system was making protected health information publicly available.

Problems with mobile security

The Hospice of North Idaho case not only highlights the Office for Civil Rights’ message to small practices, but it also underscores the importance of mobile security, the safeguard against many health data breaches.

A report published in August 2012 by South Florida accounting firm Kaufman, Rossin & Co. found that 50% of breaches in 2011 were from laptops or other compromised locations that included all mobile devices. Many experts say the rise in mobile device use is causing more vulnerabilities.

Ponemon Institute, a Traverse City, Mich.-based data privacy and security research firm, published its Third Annual Benchmark Study on Patient Privacy & Data Security in December 2012. The study found that 81% of the 80 organizations surveyed allow employees to use their own mobile devices (link). Forty-six percent of the surveyed organizations have not taken steps to ensure data security on the personal devices.

In 2012, the Office for Civil Rights and HHS’ Office of the National Coordinator for Health Information Technology launched a website devoted to mobile device security (link). It offers tips and guidance on how practices can protect patient information when using mobile devices.

The American Medical Association published a guide in 2010 to help practices understand and implement encryption (link) .

Amanda Miller, director of community development for Hospice of North Idaho, said her advice to other small practices is to go to the National Institute of Standards and Technology and download the HIPAA Security Rule Toolkit (link). She said physicians will find areas of weakness that need to be addressed as they go through the questions.

“Become involved in the solutions for your practices,” she said.

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn