The laptop was stolen in February 2011 from a hospice worker’s car and never retrieved, according to news accounts. But Hospice of North Idaho officials say there is no evidence the personal information has been used to commit identity theft or fraud.
“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information,” said Leon Rodriguez, director of the U.S. Department of Health and Human Services’ Office of Civil Rights, in a statement. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”
A breach notification rule within the omnibus law known as HIPAA requires covered entities to report “an impermissible use or disclosure of protected health information” affecting less than 500 individuals to federal authorities on an annual basis.
In the case of the Idaho hospice, the OCR found the non-profit that provides palliative care did not conduct an accurate and thorough risk anaylysis of electornic patient records on an ongoing basis as part of its security management process, including taking appropriate steps to secure patient records stored on portable devices.
“Hospice of North Idaho conducted a thorough risk analysis as a part of its security process, increased security measures on all equipment containing patient information, and adopted stronger security policies and procedures to ensure the safety of patient health information,” hospice spokeswoman Amanda Miller told The Spokesman-Review. “Other measures taken were the encryption of all laptops, stronger password enforcement, and HIPAA privacy and security training on a scheduled basis.”
The hospice, which in 2010 had a $700,000 margin on $8.8 million in revenues, will pay the fine out of its operating budget.
“As a nonprofit, $50,000 is a lot of money and we are being extra resourceful right now to account for this settlement cost,” Miller said.