OCR Issues First Fine for Non-Major Breach
The Department of Health and Human Services’ Office for Civil Rights for the first time is financially punishing an organization for a breach of protected health information that affected less than 500 individuals. This is a new policy as OCR has previously limited issuance of hefty fines--and publicity of the fines--against several organizations following a “major” breach that affected 500 or more individuals.
The Hospice of North Idaho in Hayden will pay a $50,000 fine and has entered into a resolution agreement and corrective action plan with OCR. The hospice in February 2011 reported to OCR the theft of a laptop computer in June 2010 containing PHI on 441 individuals. Organizations must annually notify OCR of breaches affecting less than 500 individuals, and must give notification of larger breaches within 60 days of discovery.
OCR notified the hospice in June 2011 that it was investigating the breach, and contends in the resolution agreement that the hospice did not adequately implement sufficient protections to ensure security of electronic protected health information from the April 21, 2005, HIPAA security rule compliance date until Jan. 17, 2012.
The Hospice of North Idaho in the agreement does not admit liability, a contention that OCR disputes in the next sentence: “This Agreement is not a concession by HHS that HONI is not in violation of the Privacy or Security Rules and that HONI is not liable for civil money penalties.”
Under the agreement, the hospice does not contest the validity of obligations agreed to under the settlement and agrees to comply with a corrective action plan. The resolution agreement and corrective action plan are available here.