Healthcare News & Insights

First HIPAA fine for breach of less than 500 records announced

An Idaho hospice has agreed to pay $50,000 to settle alleged HIPAA violations in the first HIPAA fine for a breach involving fewer than 500 patient records. 

The Department of Health & Human Services (HHS) recently announced it had reached a settlement with The Hospice of North Idaho. The hospice agreed to pay $50,000 to settle possible HIPAA violations related to a 2010 data breach that may have compromised 441 patient records.

Previously, all other settlements were related to breaches involving over 500 records. The law requires providers to report breaches of more than 500 records within 60 days of their discovery, whereas smaller breaches must be reported to HHS on an annual basis.

The Hospice of North Idaho data breach occurred when a laptop holding unencrypted protected health information was stolen. The organization’s employees regularly use laptops for their work in the field. However, HHS said, the hospice did not have HIPAA-mandated mobile security policies in place.

According to the HHS announcement, this settlement shows that healthcare providers, regardless of their size, should take steps to protect the security of sensitive patient information, especially when it’s held on laptops, smartphones and other mobile devices. Said HHS, “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.