In the past, “500” was the magic number for HIPAA settlements of breaches of unsecured protected health information (PHI). All reported fines occurred where more than 500 individuals were affected.
That is no longer the case.
The Department of Health and Human Services (HHS) recently announced a $50,000 fine against an Idaho hospice after the theft of a single unencrypted laptop containing unsecured PHI. In fact, the Hospice of Northern Idaho (HONI) had not even conducted a risk analysis of the major security threats. As a result, 441 patients had their data stolen.
The HITECH Act requires two types of reporting to HHS when a breach of unsecured PHI occurs:
· Immediately, if the breach affects 500 or more individuals
· Annually, for all other breaches
Read full article here.
