This is a new policy; OCR has previously limited issuance of hefty fines-and publicity of the fines-against several organizations following a "major" breach that affected 500 or more individuals.
The Hospice of North Idaho in Hayden will pay a $50,000 fine and has entered into a resolution agreement and corrective action plan with OCR.
The hospice in February 2011 reported to OCR the theft of a laptop computer in June 2010 containing PHI on 441 individuals.
To uphold federal law, organizations must annually notify OCR of breaches affecting less than 500 individuals, and must give notification of larger breaches within 60 days of discovery.
OCR notified the hospice in June 2011 that it was investigating the breach, and contends in the resolution agreement that the hospice did not adequately implement sufficient protections to ensure security of electronic protected health information from the April 21, 2005, HIPAA security rule compliance date until Jan. 17, 2012.
The Hospice of North Idaho in the agreement does not admit liability, but does not contest the validity of obligations agreed to under the settlement and agrees to comply with a corrective action plan.