I was surprised to read this morning that Hospice of North Idaho had settled charges by HHS over a laptop stolen from an employee’s car in the summer of 2010.
I was surprised, in part, because I was not aware of this incident at all as it had not appeared in HHS’s breach tool. Since it occurred after HITECH went into effect, it’s possible that the breach affected less than 500 patients. According to a statement from the hospice reported by David Cole of the Coeur d’Alene Press, the hospice had appropriately reported the incident at the time to HHS.
So why did HHS fine this hospice $50,000? Was it to make some point about leaving laptops in unattended cars? If so, I approve in principal, but why this hospice instead of one of the many other covered entities that have had laptops stolen from cars? At least in this case, it is somewhat more understandable that an employee would have removed patient data from the office as they provide home-based hospice services.
Should the data have been encrypted or otherwise protected? Obviously. And do I agree with the hospice’s statement that “The theft of the laptop was out of our hands?” Obviously not. If you wouldn’t leave your wallet with all your credit cards and IDs in your car to be stolen, you shouldn’t be leaving a laptop with patient information in your car to be stolen. And if you would leave your wallet in your car, I personally don’t think you should ever be trusted with patient data.
But a $50,000 fine for a hospice that self-reported a breach seems harsh, particularly when we think of all the other cases where no fine was imposed.
There is no statement on the hospice’s web site at this time. Nor on HHS’s. I’ve e-mailed both requesting a statement or explanation as to why this breach resulted in a fine and hope we’ll find out more.
Having heard OCR talk on this subject several times, their reasoning is simple. The HIPAA Privacy/Security rule have been in place for years. An organization, whether self reporting or reported by a third party, should have been following the regulations. Even the Omnibusman rule under HITECH is enforceable, even though not final. If they hadn’t self reported the fines could have been much higher. I am sure they looked to see if they had done a risk assessment, developed appropriate policies, educated their staff, and checked to assure that their workforce followed their policies. The fine was rather small compared to some recent $1.5M judgements.
Thanks, Bill, and you make sense, but given the embarrassment of riches to choose from on stolen laptops, I just didn’t understand why this one (and not others). This is where a statement/press release by them would be helpful. Perhaps it’s as you suggest – that there had been no risk assessment or other protections in place, but if HHS wants entities to learn a lesson from this, they need to be clear about what the take-home message should be.
I have contacted a lawyer and he said this could clearly be a class action suit. My information it appears to been on that electronic device. Im not sure why certain information was very unclear on the letter I recieved but I truely believe not all is being told.