HHS imposes $50K fine on Idaho Hospice for loss of 500 patient records

We’ve been advising health care professionals for two years to treat health care privacy compliance seriously because federal enforcement of privacy regulations would expand. Well, it’s here and the investigations and fines have begun.

The U.S. Department of Health and Human Services (HHS), responsible for privacy rules, designates its Office of Civil Rights (OCR) with enforcement and investigations. OCR recently investigated a report by the Hospice of North Idaho (HONI) that unencrypted laptops with patient records had been stolen. HONI staff regularly used laptops with patient records; but, HONI had not conducted a risk assessment as required by law and had not adopted policies and procedures to address the potential loss of patient information stored on mobile devices.

HHS imposed a fine of $50,000 and required HONI to implement extensive measures to protect against future violations of privacy rights. As the OCR director pointed out, “Encryption is an easy method for making lost information unusable, unreadable, and undecipherable.”

HHS has created a website dedicated to protecting patient information on mobile devices on their website www.healthit.gov/mobiledevices.