The HHS Office for Civil Rights (OCR) has fined the Hospice of North Idaho (HONI) $50,000 for a breach resulting from a stolen laptop. What makes this unique is it represents the first time an organization has been fined for a breach of less than 500 patients. We will take a look at the details of the breach and then show the cost of protecting patient information versus the expense of having a breach.
The breach resulted from an unencrypted laptop that was stolen from an employee’s car. The laptop contained electronic protected health information (ePHI) of 441 patients.
OCR’s investigation into the incident revealed that HONI was negligent in implementing appropriate safeguards to protect patient information. Specifically, HONI:
- Did not conduct a risk analysis to safeguard ePHI.
- Did not have policies or procedures in place to address mobile device security
OCR Director Leon Rodriguez states what seems to be more and more clear everyday:
“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”
Closer look at the numbers
According the Chamber of Commerce online HONI has 32 employees. Let’s assume 10 employees have laptops that contain ePHI. Let’s take a look at how much it would have cost HONI to properly safeguard the laptops and be compliant with HIPAA security regulations.
The HIPAA Secure Now! service for an organization with 11- 50 employees is $2,250.00. The service provides a detailed risk assessment, HIPAA security policies and procedures and employee training. With HIPAA Secure Now! HONI would have been in compliance with the HIPAA Security rule for both of the items that they were fined for.
Again, we will assume they have 10 laptops that contain ePHI. Laptop encryption would cost HONI $85 per laptop per year. So for $850, each of their 10 laptops would be encrypted and they would be in compliance with the HIPAA Security rule requirements.
HIPAA Secure Now! service: $2,250.00
Laptop encryption: $850.00
Total cost: $3,100.00
For $3,100 HONI could have saved themselves a $50,000 fine. But as we pointed out before, the real cost of a data breach is not only the fine that an organization receives. The real cost is much higher due to negative publicity, lost revenue, notification costs, etc. According to the annual Ponemon 2011 Cost of Data Breach Study, the cost of a data breach in healthcare was $240 per record. The $240 per record does not include any regulatory fines. Let’s take a look at the numbers for the 441 records that were breached.
441 x $240 per record = $105,840 in breach related expenses
Now add the $50,000 fine that HONI received from OCR
$105,840 + $50,000 = $155,840
Putting all the numbers together it is clear that for a minimal investment, HONI could have saved themselves a lot of money.
$3,100 to implement the appropriate safeguards to protect ePHI
$155,840 for not implementing the appropriate safeguards to protect ePHI
HIPAA security isn’t that hard to implement and it isn’t that expensive. The HONI breach shows that it is much cheaper to implement the proper safeguards versus the expense and embarrassment of a HIPAA related breach.