This week Health and Human Services announced the first HIPAA breach settlement involving less than 500 patients. Hospice of North Idaho will pay a fine of $50,000.00 for breaches of electronic PHI. The breach resulted when an unencrypted laptop was stolen containing PHI of 441 patients.
In its press release regarding the breach and settlement, HHS emphasized that Hospice of North Idaho had not conducted a risk analysis to safeguard their electronic PHI and further did not have policies and procedures in place regarding electronic devices.
This is the first indication from HHS of how serious they are taking HIPAA breaches, especially involving electronic devices. In response to this case, HHS has even started a mobile device initiative, which can be found at www.HealthIT.gov/mobiledevices
In an era where every Healthcare Executives is carrying multiple mobile devices at any given time, it will behoove every organization to take a strong look at their policies and procedures. There is some really interesting information on the HHS website, which I would be willing to guess many organizations have not included in their policies, such as information regarding text messaging, blue tooth enabled devices, and using public internet connections.
If your organization allows cell phones, laptops, and Ipads to be used to conduct any type of healthcare business involving patient information you need to conduct a risk assessment and update your policies accordingly. If you carry an electronic device, make sure you are complying with your organizations policies and are not recklessly or purposefully violating the security policies.