According to Health Insurance Portability and Accountability Act (HIPAA) rules, healthcare companies are needed to inform data infringements involving over 500 people to the Office of Civil Rights and fiscal fines apply for HIPAA breaches; nevertheless, security violations involving lesser people can still lead to penalties being imposed.
During 2010, a laptop was thieved from a community non-profit hospital in Hayden, North Idaho. The laptop had the PHI of 441 patients containing diagnoses, medical test results, Social Security numbers, medicines issued as well as other safeguarded patient info. The laptop was given out to a carer from the Hospital of North Idaho who took the laptop home with her at the weekend and placed it in her car where it was then thieved.
When data breaks involve over 500 patients the case should be informed to the OCR quickly; nevertheless, as this case involved only 441 patients, the information of the thievery and data breach wasn’t provided to the OCR till the year-end; as needed under HIPAA breach notification laws.
Upon discovery of the thievery and possible disclosure of patient data, the hospital carried out an inquiry and executed plans to alleviate any damage caused. This comprised communicating all 441 patients to warn them that the data had possibly been seen and free credit checking services were presented to the patients affected. The relatives of dead patients were allocated a personal recovery lawyer and provided family support.
A risk appraisal was carried out after the thievery and industry experts were hired to evaluate the IT systems at the hospital. The facilities which were being subcontracted at the time that the thievery took place were also substituted. While all practical measures were taken to alleviate the damage caused by the break and to abide by HIPAA rules when the OCR carried out its inquiry non-compliance issues were exposed.
The OCR established that no risk assessment had taken place before the thievery, which was a direct violation of HIPAA rules. Moreover, the hospital had failed to implement suitable procedures and policies according to the HIPAA Safety Rule and didn’t take enough actions to defend data held on moveable devices.
Discussions between the OCR and the hospice led to a settlement of $50,000 being reached, with the comparatively small penalty issued because of the swift action taken by the hospital to tackle substandard data safety. The penalty might have been considerably higher, even though $50K is a substantial cost to cover by a small non-profit business. It will now need to carry out an extensive fundraising movement to recuperate the loss.
The OCR also distributed a remedial action plan with a condition that any future data violations – of any extent – be informed to the OCR within 30 days, which should also be along with details of the steps taken to alleviate the damage caused.
This case must act like a reminder to healthcare companies of all sizes that a failure to abide by HIPAA rules, including the Safety Rule, will lead to monetary fines being issued much in excess of the price of guaranteeing HIPAA obedience in the first place. It also shows the strength with which the OCR is following lawbreakers and enforcing rules.