Precipitating Event: Stolen Laptop with just 441 patient records.
On February 16, 2011, the HHS Office for Civil Rights (OCR) received notification from XYZ Small Hospice regarding the theft of a laptop computer containing the protected health information (PHI) of 441 individuals. On July 22, 2011, OCR notified XYZ Small Hospice of OCR’s investigation regarding XYZ Small Hospice’s compliance with the Privacy, Security, and Breach Notification Rules.
[Editorial Note: This is a short case study because the conclusion is simple and obvious: With this case, the HIPAA Police put every small practice in America on notice. One laptop, containing just 441 patient records cost this tiny clinic $50,000.]
minor modifications for readibility
"a laptop computer containing the PHI of 441 individuals"
Let's be clear and concise: THIS COULD HAPPEN TO EVERY PRACTICE IN AMERICA.
Ask Yourself: Do you have one unencrypted laptop with a few hundred patient records on it? Do you want to write a check for $50,000 to the government?
This was a seminal prosecution for the HIPAA Police. With this violation, the HIPAA Police were putting on notice, every small practice. In prior HIPAA violations, the number of patients affected exceed 500. Hope you got the notice! If no, act now!
The Corrective Action Plan was unusual. It seems like XYZ Small Hospice had done a risk-assessment and did have a risk management plan. Normally the HIPAA Police force the violator to do those things. In this case they did not. The HIPAA Police just said to make sure to investigate and report any breaches. Very unusual.
For XYZ Small Hospice, the person who signed the Resolution Agreement has the title 'Interim Executive Director.' Not hard to see that the previous executive director decided to spend more time with the family.
In case you missed it: a tiny hospice provider had one laptop stolen with just 441 patient records and they paid a HIPAA fine of $50,000. Please re-read that sentence a few times - make sure it sinks in. Hospitals got the message but, for some reason, nearly every small practice is still not HIPAA compliant.