First HIPAA Settlement for Breach Affecting Less Than 500
PRIVACY LAW—U.S.January 3, 2013
The Hospice of North Idaho has agreed to pay the U.S. Department of Health and Human Services (HHS) $50,000 to settle potential HIPAA violations, the first settlement for a breach affecting less than 500 individuals. Wiley Rein’s Kirk Nahra, CIPP/US, told the Daily Dashboard the settlement is significant in that it emphasizes how HHS’ Office for Civil Rights (OCR) is currently conducting its investigations. “Specifically, the facility had not conducted an appropriate HIPAA Security Rule ‘risk analysis’ as part of its overall compliance with the HIPAA Security Rule. Second, the facility had not implemented appropriate security controls for mobile devices,” he said, adding, the settlement is a reminder that “OCR’s current practice is to investigate a wide range of issues beyond the initial trigger for the investigation” and of “the importance of overall risk analysis, across a company’s operations with a focus on mobile devices.” Meanwhile, FierceHealthIT reports on recent health data breaches.