Idaho Hospice Pays $50,000 for Losing Fewer Than 500 Patient Records
January 2, 2013 -- Today the US Department of Health and Human Services Office for Civil Rights announced that it had accepted a $ 50,000 resolution agreement with Hospice of North Idaho for a stolen laptop that contained 441 patient records. (details here)
In a press release, hospice Vice President Kim Ransier said “All healthcare agencies, including non-profit agencies, are accountable to the same regulations. We realize that we must adhere to these regulations while continuing to provide the highest quality care for our patients and not lose sight of our mission.”
In addition to the financial penalty, the hospice incurred additional costs.
Patients who could have been affected were identified, contacted, and offered credit monitoring, and families of deceased patients were offered family support through the assignment of a personal recovery advocate. Also during this time, Hospice of North Idaho hired industry experts in the areas of Information Technology and Human Resources, replacing the outsourced services employed during the time of the laptop theft.
Hospice of North Idaho conducted a thorough risk analysis as a part of its security process, increased security measures on all equipment containing patient information and adopted stronger security policies and procedures to insure the safety of patient health information. Other measures taken were the encryption of all laptops, stronger password enforcement, and HIPAA privacy and security training on a scheduled basis. To date, Hospice of North Idaho is in compliance with all Federal regulations and is conducting ongoing education and training of staff on a regular basis.
Because of the proactive approach taken and Hospice of North Idaho’s current security plan, the OCR’s settlement amount is significantly less than the standard penalties imposed. Hospice of North Idaho has agreed to settle with the OCR for $50,000.
“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”