HHS has announced a Resolution Agreement (here) with a nonprofit hospice organization in Idaho, resolving its investigation of a HIPAA breach involving the theft of a laptop computer. Although much about this case is similar to others like it that HHS has settled in the past few months (see, for example, here), the noteworthy points in this case are the ways in which it differs.
Size of Breach. The breach in this case involved electronic protected health information of 441 individuals. That’s a lot of people, but it is the first case HHS has resolved involving a breach affecting fewer than 500 individuals. (Because the breach affected fewer than 500 individuals, it would not have been disclosed to HHS immediately, but rather would have been identified on a log as part of the annual breach-notification requirement.)
The point: HHS takes these cases seriously, whether they involve thousands of individuals or just a few hundred. A breach will not stay below the governments radar just because there is no separate notification requirement.
Resolution Amount and Corrective Action Plan. The case was resolved for a resolution amount of $50,000 (compared to over $1M in other recent cases), and HHS demanded a relatively light corrective action plan. Why would HHS be more lenient here? Reading between the lines, the answer seems to be based on the covered entity’s voluntary efforts to correct its error and take steps to prevent similar problems from occurring in the future.
The Resolution Agreement indicates that once the covered entity discovered the breach, it immediately began taking steps to rectify its failings under the HIPAA security rule, even before reporting the breach to HHS or receiving notification of HHS’s investigation. It voluntarily conducted a risk analysis and implemented new security measures for portable electronic devices. Although these steps could not prevent exposure to all penalties, they may have helped minimize the sanction.
Take-Aways for Health Plans. The covered entity in this case was not a health plan, but the case reflects some important take-aways for all covered entities, including health plans:
1. Small is No Defense. The size of the covered entity and the number of affected individuals will not necessarily protect it from investigation and enforcement activity.
2. Compliance With the Security Rule is Critical. HHS continues to show significant interest in compliance with the fundamental requirements of the HIPAA security rule, including the requirement to perform a risk analysis and implement reasonable security measures based on that assessment. Compliance with the privacy rule alone is not enough.
3. Voluntary Compliance is Worthwhile. Even in a worse-case scenario when a reportable breach affecting hundreds of individuals has occurred, contrition and voluntary compliance are important and may give the covered entity “credit” in working out a final resolution with HHS.