Hospice hit with $50K fine for data breach

The Department of Health & Human Services (HHS) has a stern message for long-term care facilities: Just because your resident populations are small doesn’t mean you can be lax about medical record security.

Last week, the Hospice of North Idaho became HHS’s first facility with fewer than 500 residents to be fined for a patient information data breach, saddling the hospice a whopping $50,000 bill.

The fine stems from a 2010 case of a stolen laptop that contained the protected health information of 441 hospice patients. Although the hospice informed HHS of the theft, an investigation ruled that the hospice had not taken the proper precautions to the data—the laptop was unencrypted and the hospice had not conducted risk assessments or implemented security protocols, HHS officials noted in a press statement.

The Health Insurance Portability and Accountability Act (HIPAA) patient privacy rules instituted hefty fines for facilities that fail to protect the privacy of medical data. Until now, most of those fined for breaking the rules have been hospitals and health systems, whose databases often hold thousands of patient records.

The HHS Office of the National Coordinator for Health Information Technology (ONC) has launched an initiative to increase awareness of the security risks related to mobile computing devices, such as tablets, smartphones and others.


Topics: Accountable Care Organizations (ACOs) , Advocacy , Regulatory Compliance