The U.S. Department of Health and Human Services (HHS) recently announced the first-ever HIPAA breach settlement for a case involving fewer than 500 patients -- the Hospice of North Idaho (HONI) has agreed to pay a fine of $50,000 for HIPAA violations related to the June 2010 theft of an unencrypted laptop containing the electronic personal health information of 441 patients.

"This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information," Leon Rodriguez, director of the HHS Office for Civil Rights (OCR), said in a statement. "Encryption is an easy method for making lost information unusable, unreadable and undecipherable."

"An OCR investigation found that HONI had no policies or procedures in regard to mobile device security as required by HIPAA," wriets Security Management's Carlton Purvis.


"Of particular concern, the Hospice of North Idaho did not evaluate the likelihood or impact of potential risks to the confidentiality of the electronic health information it maintained on portable devices, Rachel Seeger, a spokeswoman for OCR, told BNA in an email," writes Bloomberg BNA's Alex Ruoff. "The hospice also did not implement security measures to address the risk of losing patient health information or maintain a process for managing that risk, she said."

"Data security breaches involving 500 individuals or more must be reported to HHS and the media within 60 days of discovering the breach," notes Becker's Hospital Review's Jim McLaughlin. "Breaches that compromise fewer than 500 individuals' data must be reported annually to HHS."