The Hospice of North Idaho (HONI) has agreed to settle with the Department of Health and Human Services (HHS) by paying $50,000 for a HIPAA breach. When you consider that Mass General Hospital settled for $1 million (technically, it wasn’t a settlement. They got fined) for a breach, the amount HONI is paying seems like peanuts. But this HONI case is a historic one because it’s the first time the HHS has brought action for a data breach involving less than 500 PHI. Of course, a solution like AlertBoot’s full disk encryption for medical laptops would have prevented all of this. But then, who are we to stand in the way of history?
441 Protected Health Records Stolen
According to the government’s own press release, the Hospice of North Idaho experienced a data breach when a laptop computer –which was lacking protection in the form of encryption software, it being the only way to get safe harbor from the HIPAA/HITECH Breach Notification Rule – was stolen in June 2010.
Although less than 500 PHI were breached in this case, an investigation by the HHS OCR found that HONI had not addressed security concerns:
Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI. Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program. [hhs.gov]
Of course, there’s nothing really magical about the number 500. It’s just an arbitrary figure that delineates whether a data breach is reportable at the HHS’s “Wall of Shame” or not. In terms of potential threats affecting patients, one doesn’t face more or less of a threat because 500 or more people are involved. Also, how is 500 affected much more of a risk than 499 people affected?
The HHS finally seems to want the world to realize that:
“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information,” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”[hhs.gov]
A strong message it is, indeed. There was much speculation that the name and shame policy would not have much of an impact because most data breaches tend to involve less than 500 people’s records. Indeed, if memory serves, over 95% of HIPAA data breaches involve less than 500 PHI, which meant that shaming a particular set of breaches would miss most instances.
ROI – Kinda Worth It?
You know, monetary settlements, fines, etc. at such levels always leave me a little bit concerned. On the one hand, $50,000 is nothing to sneeze at. On the other hand, I can imagine all kinds of wheels turning in accountants’ heads.
For example, let’s say that a particular disk encryption solution costs about $200 per endpoint, including the installation of back-office infrastructure and other digital accoutrements that accompany it (AlertBoot, by the way, is of significantly lower cost because it’s an entirely cloud-based solution).
If a particular health organization has to protect 250 laptop computers, the solution already costs $50,000. Assuming one has a data breach every 5 years, not using disk encryption would show savings of 80% under this particular model, assuming (1) their data breaches always involve less than 500 PHIs and (2) the HHS hands out a fine of $50,000 each time.
It’s messed up, but some people honestly think of these issues in this manner. Thankfully, fines are not confined to such low amounts (under an update to HIPAA rules, up to $1 million can be assessed on covered entities), and there’s no guarantee that a medical data breach will remain below a head count of 500.