Hospice of North Idaho takes great care of people, but one of its employees failed to take care with a laptop. That lapse cost the organization $50,000.
The computer contained the unencrypted information of 441 HONI patients when it was stolen in 2010. That number is important, because it explains why the U.S. Department of Health & Human Services put out a national news release Wednesday announcing a settlement with HONI. The hospice had the unfortunate distinction of becoming the first health care provider with fewer than 500 patients to be cited for potential violations of the confidentiality provisions of the Health Insurance Portability and Accountability Act of 1996. That’s a bad place to be as health care providers and insurers concentrate on the implementation of Obamacare, and all the patient information issues that arise with a national health care system.
The hospice’s proactive response – it self-reported the missing laptop – helped minimize the amount of money involved in the settlement.
But the federal government wants all to know that the casual handling of patient records will not be tolerated.
Message delivered. The settlement grabbed a lot of attention in health care and computer security publications and blogs.
Universal implementation of electronic medical record systems is among the measures health reform supporters say will lower the cost of care. But the associated cyber security issues this raises are gargantuan, and astute patients mindful of their privacy are watching.
Since 2003, HHS has received 74,554 complaints. About one-third were investigated, and most of those resulted in “corrective actions.” HONI’s case is among just 11 that concluded with monetary settlements. The first culprit was Providence Health & Services, which in 2008 coughed up $100,000 for mishandling devices with patient information. Several settlements have exceeded $1 million.
In one case, HHS imposed civil penalties.
The costs go beyond just the settlement expenses. HONI, which had outsourced some information technology and human resource responsibilities, brought those duties in-house.
The conclusion of the investigation into the stolen laptop coincided with the HHS announcement that Idaho has the go-ahead to create its own insurance exchange, which will become the primary marketplace for consumers and businesses. Software for the exchanges is designed to permit access to consumer information on a need-to-know basis. In Washington, plans call for blocking downloads of the information about individuals to mobile devices like laptops.
Living up to the letter of HIPAA will be critical, be it 441 patients or 300 million. The access to health care many will enjoy for the first time will be a comfort, but distrust among opponents will be multiplied many-fold if the security of their personal medical information is breached.
It’s just unfortunate HHS felt it had to collect $50,000 from a small North Idaho hospice to get that point across.