HHS Announces New HIPAA Breach Settlement

HHS has announced its first HIPAA breach settlement involving less than 500 patients.  The announcement came on January 2, 2013 following a disclosure by the provider, Hospice of North Idaho.  The facts involved the theft of an unencrypted stolen laptop that contained ePHI for 441 individuals.  HHS found that the provider did not do a sufficient analysis of the risk to confidentiality of ePHI after the new rule went into effect and did not have in place appropriate policies or security measures to ensure the confidentiality of ePHI.  To settle the matter, the provider agreed to pay HHS $50,000 and enter into a corrective action plan.  More information about the settlement, including the settlement agreement can be found at this link on the HHS website.

This settlement shows that HHS takes breach notifications seriously.  At the same time, it appears that HHS will be open to entering reasonable settlement agreements to resolve this type of breach.  Mostly this demonstrates what we all know:  don’t put ePHI on unencrypted laptops or other mobile devices.  For more information, contact Dave Schoolcraft, Lee Kuo or Casey Moriarty.

Health Data Privacy Protections to Increase

As we wait for the HITECH Act updates to HIPAA to be finalized, yet another article signals the administration’s intent to strengthen privacy protections for health data– http://www.nytimes.com/2011/05/31/business/31privacy.html

HIPAA Breach Notification — Compliance Action Plan

With the September 23, 2009 effective date for the new HIPAA breach notification requirements rapidly approaching, health care organizations must move now to address compliance obligations.

The slide deck below (from a presentation for the Washington State Hospital Association I gave on September 16th) contains a summary of the rule along with a Compliance Action Plan outlining key steps to address requirements under the rule.

HHS indicated they will exercise their “enforcement discretion” over the next several months given the tight time frame.  That said, in light of the increased civil penalties passed as part of the HITECH Act and now in effect, covered entities should work to implement a compliance action plan now rather than rely on such “enforcement discretion” later.