The Hospice of North Idaho (HONI) will pay $50,000 to the U.S. Department of Health and Human Services’ (HHS) for a "breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals," according to a Jan. 2, HHS press release.
"This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information," said OCR Director Leon Rodriguez in the release.
The action comes following an investigation by the HHS Office for Civil Rights (OCR) after HONI reported the theft of an unencrypted laptop, in June 2011, containing the electronic protected health information of 441 patients. The organization regularly uses laptops containing ePHI for field work.
"Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI. Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule," the press release added.
To see the release, go to: www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.pdf.