Thursday, February 7, 2013

HIPPA Fine Signals Higher Level of Enforcement


In the past, “500” was the magic number for HIPAA settlements of breaches of unsecured protected health information (PHI). All reported fines occurred where more than 500 individuals were affected.

That is no longer the case.

The Department of Health and Human Services (HHS) recently announced a$50,000 fine against an Idaho hospice after the theft of a single unencrypted laptop containing unsecured PHI. In fact, the Hospice of Northern Idaho (HONI) had not even conducted a risk analysis of the major security threats. As a result, 441 patients had their data stolen.

The HITECH Act requires two types of reporting to HHS when a breach of unsecured PHI occurs:

·         Immediately, if the breach affects 500 or more individuals
·         Annually, for all other breaches

HONI’s fine and settlement agreement were a result of the second type of HHS reporting. Employers must face certain realities related to health information in the 21st Century. Much of it is stored, accessible or transmitted on devices that are not stationary in the workplace. The risks with mobile devices (e.g., cell phones, tablets, laptops) are many. HHS has made available several useful resources in this area.

What types of precautions have you taken to mitigate risk for your mobile devices? How often do you update your HIPAA risk analysis? Please comment below.
To view article, click here.

No comments:

Post a Comment