HHS settles first small data breach case at medical practice
■ The agreement underscores the importance of mobile device security and routine risk assessments.
For the first time, the Dept. of Health and Human Services has reached a settlement over a data breach that affected fewer than 500 people, reinforcing its message that no medical practice is too small to be held accountable for not following privacy and security laws.
On Jan. 2, Hospice of North Idaho settled a 2010 security case by agreeing to pay $50,000 to HHS. The case stemmed from a stolen laptop with unencrypted data containing the protected health information of 441 patients.
HHS reached the agreement after a long investigation by its Office for Civil Rights, which found that the practice never conducted a risk assessment to safeguard patient data, a requirement under the Health Insurance Portability and Accountability Act. The agency also found that there were no policies and procedures to address mobile security, despite the fact that the practice routinely uses laptops as part of its field work.
“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information,” Office for Civil Rights Director Leon Rodriguez said in a statement.
Because the breach did not involve more than 500 patients, the practice was not required to make immediate notification to HHS and the media, as required under the Health Information Technology for Economic and Clinical Health Act. Smaller cases must be reported to HHS on an annual basis.
The settlement was not an admission of guilt by Hospice of North Idaho, but the practice said it took the incident “very seriously.”
“The theft of the laptop was out of our hands, but the measures we have taken since then to ensure the security and privacy of our patients’ information have been numerous,” said Brenda Wild, board president of Hospice of North Idaho. Those steps included encrypting data on all mobile devices and conducting regular HIPAA training.
An Office for Civil Rights website highlights settlement agreements as a way to send warnings to other health care organizations (link).
The first major settlement with a small practice, reached in April 2012 with Phoenix Cardiac Surgery, is one example. The practice agreed to pay $100,000 to settle charges that it didn’t take adequate steps to protect patient data when an investigation discovered that an online scheduling system was making protected health information publicly available.
Problems with mobile security
The Hospice of North Idaho case not only highlights the Office for Civil Rights’ message to small practices, but it also underscores the importance of mobile security, the safeguard against many health data breaches.
A report published in August 2012 by South Florida accounting firm Kaufman, Rossin & Co. found that 50% of breaches in 2011 were from laptops or other compromised locations that included all mobile devices. Many experts say the rise in mobile device use is causing more vulnerabilities.
Ponemon Institute, a Traverse City, Mich.-based data privacy and security research firm, published its Third Annual Benchmark Study on Patient Privacy & Data Security in December 2012. The study found that 81% of the 80 organizations surveyed allow employees to use their own mobile devices (link). Forty-six percent of the surveyed organizations have not taken steps to ensure data security on the personal devices.
In 2012, the Office for Civil Rights and HHS’ Office of the National Coordinator for Health Information Technology launched a website devoted to mobile device security (link). It offers tips and guidance on how practices can protect patient information when using mobile devices.
The American Medical Association published a guide in 2010 to help practices understand and implement encryption (link) .
Amanda Miller, director of community development for Hospice of North Idaho, said her advice to other small practices is to go to the National Institute of Standards and Technology and download the HIPAA Security Rule Toolkit (link). She said physicians will find areas of weakness that need to be addressed as they go through the questions.
“Become involved in the solutions for your practices,” she said.