Last month the U.S. Department of Health and Human Services announced a first-of-its-kind settlement involving a breach of unsecured electronic protected health information. The Hospice of North Idaho agreed to pay HHS $50,000 to settle potential violations of the HIPAA security rule. The case arose when the hospice reported to HHS that an unencrypted laptop computer containing the electronic protected health information of 441 patients had been stolen. During its investigation, HHS discovered that the hospice did not have in place any policy or procedure to address mobile device security as required by the HIPAA security rule. The settlement was the first involving a potential breach of the electronic protected health information of fewer than 500 patients.
This settlement signals that HHS is stepping up enforcement of HIPAA security rule violations and that even small covered entities need to fully comply. Covered entities should familiarize themselves with the requirements for securing electronic protected health information on mobile devices. The HHS Office for Civil Rights has posted practical tips for protecting electronic PHI on mobile devices such as laptops, tablets, and smartphones.