Hospice hit with $50K fine for data breach

The Department of Health & Human Services (HHS) has a stern message for long-term care facilities: Just because your resident populations are small doesn’t mean you can be lax about medical record security.

Last week, the Hospice of North Idaho became HHS’s first facility with fewer than 500 residents to be fined for a patient information data breach, saddling the hospice a whopping $50,000 bill.

The fine stems from a 2010 case of a stolen laptop that contained the protected health information of 441 hospice patients. Although the hospice informed HHS of the theft, an investigation ruled that the hospice had not taken the proper precautions to the data—the laptop was unencrypted and the hospice had not conducted risk assessments or implemented security protocols, HHS officials noted in a press statement.

The Health Insurance Portability and Accountability Act (HIPAA) patient privacy rules instituted hefty fines for facilities that fail to protect the privacy of medical data. Until now, most of those fined for breaking the rules have been hospitals and health systems, whose databases often hold thousands of patient records.

The HHS Office of the National Coordinator for Health Information Technology (ONC) has launched an initiative to increase awareness of the security risks related to mobile computing devices, such as tablets, smartphones and others.

Pamela Tabar

Pamela Tabar was editor-in-chief of I Advance Senior Care from 2013-2018. She has worked as a writer and editor for healthcare business media since 1998, including as News Editor of Healthcare Informatics. She has a master’s degree in journalism from Kent State University and a master’s degree in English from the University of York, England.