A hospice in Idaho has agreed to pay the federal government $50,000 to settle a case involving the exposure of private health information for as many as 441 patients.

While the amount of money the Hospice of North Idaho (HONI) agreed to pay the U.S. Department of Health and Human Services (HHS) was relatively low, the case was significant. It was the first settlement involving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule and a breach of information affecting fewer than 500 people.

According to the HHS, an investigation by its Office for Civil Rights began after HONI reported the June 2010 theft of an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients.

Laptops containing ePHI are regularly used by the hospice in its field work, but during its investigation, the HHS Office for Civil Rights determined that HONI had failed to safeguard the ePHI. HONI also did not have in place HIPPA-required policies and procedures to address the security of mobile electronic devices and any information they might contain.

According to the HHS, the Health Information Technology for Economic and Clinical Health Breach Notification Rule requires covered parties to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 people must be reported to the secretary on an annual basis.

“This action sends a strong message to the health-care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information,” said Leon Rodriguez, director of the HHS Office for Civil Rights. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

The settlement agreement between HONI and HHS can be found here.