The Department of Health and Human Services’ Office for Civil Rights for the first time is financially punishing an organization for a breach of protected health information that affected less than 500 individuals. This is a new policy as OCR has previously limited issuance of hefty fines--and publicity of the fines--against several organizations following a “major” breach that affected 500 or more individuals.

The Hospice of North Idaho in Hayden will pay a $50,000 fine and has entered into a resolution agreement and corrective action plan with OCR. The hospice in February 2011 reported to OCR the theft of a laptop computer in June 2010 containing PHI on 441 individuals. Organizations must annually notify OCR of breaches affecting less than 500 individuals, and must give notification of larger breaches within 60 days of discovery.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access