Surviving and Learning from HIPAA Violations

Nina Rogozen, Staff Writer

Hospice of North Idaho Talks About Its Breach

A local Northwest hospice organization made news recently when it announced its $50,000 fine based on HIPAA noncompliance. The executive director and IT director graciously agreed to talk with us—and our members—about their experience, what they learned, and the steps they have taken to become HIPAA-compliant.Despite a small-town hospice’s reputation for providing thoughtful, compassionate, and patient-centered care, something went terribly wrong in June 2010. The U.S. Health and Human Services’ (HHS) accusation of HIPAA violations tossed the clinic into a tornado of serious business challenges, a hefty $50,000 fine, and a time-intensive HIPAA-compliance overhaul.   

Hospice of North Idaho (HONI), established in 1981, is a nonprofit, Medicare-certified facility in the small town of Hayden, Idaho. A team of medical providers, volunteers, therapists, dieticians, social workers, and grief counselors care for terminally ill patients and their families. They skillfully attend to patients in their homes or at Hospice House, HONI’s 12-room, inpatient facility. However, by the time the Office for Civil Rights (OCR), the HIPAA enforcement arm of HHS, finished its investigation, it was clear that HONI’s day-to-day operations would need its own intensive care.

It Only Took an Instant

Shockingly, the seed of HONI’s OCR trouble sprouted in about 45 seconds—just long enough for a thief to take off with a hospice worker’s laptop from her locked car. The laptop contained unencrypted electronic protected health information (ePHI) of 441 hospice patients. In addition to compromised personal health information, identity theft was now also a huge risk for these patients. “We can provide free credit card monitoring for one year,” says Sue Howlett, HONI’s Director of IT, who began working at HONI after the breach occurred, “but a social security number is yours for life.” Luckily, there has been no indication of foul play and no sign that patients have been affected by the theft.

Why would the theft of a laptop from a locked car, with no indication of negative impact to patients, lead to a hefty $50,000 fine? The answer comes in layers. The first is HONI’s failure to encrypt the electronic files, which would have given them a fortress of protection by keeping unauthorized people out. The OCR investigation found that HONI, having no designated Privacy and Security Officer, had not conducted a mandated risk analysis to determine what steps were necessary to secure their patients’ PHI. HONI did not evaluate the likelihood of a theft happening or the potential confidentiality risks. In addition, they did not have in place policies and procedures to address mobile device security as required by the HIPAA Security Rule. All of these OCR findings were significant HIPAA violations.

Unfortunately, these oversights can happen even in well-organized, conscientious facilities. Additionally, due to resource constraints, they had outsourced their IT functions to a company that did not regularly deal with HIPAA regulations.

Taking Responsibility, Facing the Fine

When HHS finally determined the $50,000 fine, it was HONI that sent a press release to the local newspaper. When it landed on the front page, the local community was enraged that their small, local hospice resource was handed such a seemingly large fine. This outpouring of support bolstered HONI’s resolve. They had erred, and the fine illuminated their omissions, but they were taking steps to make things right. Management and staff embraced the challenge of business realignment and made major changes in both their practices and their culture.

Bravely Taking on the Challenge      

In 2011, after the data breach, Kim Ransier became executive director. With solid operations experience under her belt, she and the staff began their incredible journey, making it possible for HONI to become a secure, HIPAA-compliant hospice center. When asked what propelled everyone at HONI forward, Ransier’s answer was simple— “Our mission: With open hearts and expertise, we serve the seriously ill and those touched by loss, regardless of their ability to pay.”

Driven by this strong sense of mission, HONI recovered by making difficult business decisions and answering critical questions: How would they pay this hefty fine? How would they develop the new skills they needed? How could they restructure in order to hire in-house IT expertise? Should management lay off individuals or maintain staffing levels? Should they cut, keep, or suspend vital programs?

“Our staff is the best on the planet,” Ransier believes. Despite these significant business challenges, she said, “there was never a question of closing our doors. The $50,000 fine was a significant chunk of our annual operating revenue. We had to use funds from our annual fund-raisers to offset the expense, which delayed our Kids Bereavement Camp for at least a year.” Restructuring meant hiring in-house expertise to implement and maintain HIPAA-compliance measures. That is when they brought in Sue Howlett as director of IT.

When Howlett began at HONI, she started making changes, mindfully correcting the HIPAA violations that led to their $50,000 fine. Her first main function was getting the agency into compliance. Her logical steps are a good blueprint for action: Howlett conducted a thorough risk analysis and planned to routinely conduct them from then on. HONI now uses a new software program with encrypted files that reinforces HIPAA’s security and privacy rules. Their increased security measures include both their mobile and stationary equipment. Their security policies and procedures are stronger, including robust password enforcement.

“Part of my thinking and job as a leader is to constantly reinforce the importance of the HIPAA regulations with our staff, board, and volunteers,” says Howlett. She conducts staff trainings, presents updates at staff meetings, and sends out periodic security alerts. “It’s all part of our daily work now.”

HONI’s recovery has been substantial, and everyone has embraced the importance of their own compliance obligations. “Our director of IT is on top of these issues,” says Ransier. “We keep this process in the forefront of everyone’s mind, so we are prepared for future demands.”

Ransier is very pleased that HONI’s culture has shifted away from “We are small, nobody cares what we do.” Now she says, “Everybody understands the importance of compliance, including our board, whose members have undergone training as well. This experience really brought the center together in a new way. People are less isolated in their area of expertise or job category. Surviving this ordeal gave us a new, common focus, and it has touched every person and how they now do their job.”