Healthcare Settlement Highlights Risk Analysis, Encryption Importance

The Department of Health and Human Services (HHS) recently announced the first HIPAA breach settlement involving fewer than 500 patients. The Hospice of North Idaho (HONI) agreed to pay $50,000 after an investigation found the organization had violated the HIPAA security rule. HHS' Office for Civil Rights (OCR) began its investigation after HONI reported an unencrypted laptop containing electronic personal health information on 441 people was stolen in June 2010.

During the course of its investigation, OCR found HONI failed to conduct a risk analysis to protect personal health information throughout the organization, according to an HHS statement. In addition, the hospice didn't have "in place policies or procedures to address mobile device security, as required by the HIPAA security rule," the statement said. However, since the 2010 theft, the organization "has taken extensive additional steps to improve their HIPAA privacy and security compliance program."

OCR director Leon Rodriguez said in an interview with InformationWeek Healthcare that since the settlement was the first of its kind, he hopes it draws attention to OCR's overall monetary enforcement program, which "effectively delivers the message to the healthcare industry that we take privacy and security seriously," he said. "We're willing to work with providers and provide technical assistance to provide clear guidance and work with them on how to best provide education. But, at the same time, enforcement is now a reality throughout the industry."

[ To see how patient engagement can help transform medical care, check out 5 Healthcare Tools To Boost Patient Involvement. ]

Rodriguez added the settlement doesn't reflect a newfound focus on small breach reports on behalf of OCR. "Generally, we identify monetary enforcement cases by looking at situations we become aware of after a long-standing pattern of systematic non-compliance that correlates with the risk of the breach, not necessarily the breach itself," he said. "That's what brings out attention to a provider; it's more of what we see in terms of behavior of the provider once we look."

In regard to HONI, Rodriguez said two main issues came to light throughout the investigation. For starters, he said, the organization had failed to encrypt the device. "Lack of encryption is what's called an addressable requirement; it's a requirement but one that can be satisfied by applying a credible alternative ... [A provider] can do just as well with strong security or password protection."

The second issue, he added, was failure to conduct a risk analysis. According to Rodriquez, all organizations need to look at business processes and places where personal health information is stored, and take steps to mitigate risks of a breach. An inadequate risk analysis is a "global issue" among organizations, he said. Additionally OCR has found that, although there are alternatives to encryption, like HONI many organizations will either encrypt or "not do anything at all," he said. "In my semi-educated hypothesis about that, a lot of providers find at the end of the day that encryption is the safest and most cost-effective thing they can do to protect the information," he said.

A new educational initiative launched by HHS in December highlights other practical ways to protect patient data. The initiative, called "Mobile Devices: Know the Risks. Take the Steps. Protect and Secure Health Information," involves a set of tools providers and organizations can access online. Videos, fact sheets and posters that promote best practices to safeguard information are available for download.

Tech spending is looking up, but IT must focus more on customers and less on internal systems. Also in the new, all-digital Outlook 2013 issue of InformationWeek: Five painless rules for encryption. (Free registration required.)