The Other Shoe Drops: HHS Announces The First HIPAA Resolution Agreement

June 24, 2011
For those who were wondering when the federal government would start taking a more aggressive, proactive approach to HIPAA privacy and security

For those who were wondering when the federal government would start taking a more aggressive, proactive approach to HIPAA privacy and security enforcement, they now have their answer.

On July 17, 2008, the United States Department of Health and Human Services (HHS) entered into a Resolution Agreement with Seattle-based Providence Health & Services to settle alleged violations of the HIPAA Privacy Rule and Security Rule. This is the first time a HIPAA covered entity has been required to enter into a Resolution Agreement for alleged violations of the Privacy and Security Rules.

The factual circumstances that resulted in the Resolution Agreement involved Providence Home and Community Services and Providence Hospice and Home Care, two entities within the Providence health system. Between September 2005 and March 2006, backup tapes, optical disks and laptop computers that contained unencrypted protected health information ("PHI") were removed from Providence's facilities, left unattended and ultimately lost or stolen. The electronic media and laptop computers contained the PHI of over 386,000 patients.

Under the terms of the Resolution Agreement, Providence agreed to pay $100,000 to HHS and to implement a Corrective Action Plan that includes:

(1) Subject to HHS approval, revising its policies and procedures regarding physical and technical safeguards governing off-site transport and storage of electronic media containing PHI;

(2) Training workforce members with respect to the safeguards implemented to protect the privacy and security of PHI;

(3) Conducting audits and site visits of the Providence facilities; andÂ

(4) Submitting compliance reports to HHS for a period of three years.

It is significant to note the $100,000 resolution amount does not constitute a civil money penalty.

The security breach incident that prompted this Resolution Agreement is certainly not unique. Other healthcare organizations have suffered comparable breaches in just the past year. It will be very interesting to observe, however, whether this Resolution Agreement is unique, or the beginning of a new series of HIPAA enformcent actions by the HHS Office for Civil Rights (OCR) and the Centers for Medicare and Medicaid Services (CMS).

Sponsored Recommendations

Care Access Made Easy: A Guide to Digital Self-Service for MEDITECH Hospitals

Today’s consumers expect access to digital self-service capabilities at multiple points during their journey to accessing care. While oftentimes organizations view digital transformatio...

Going Beyond the Smart Room: Empowering Nursing & Clinical Staff with Ambient Technology, Observation, and Documentation

Discover how ambient AI technology is revolutionizing nursing workflows and empowering clinical staff at scale. Learn about how Orlando Health implemented innovative strategies...

Enabling efficiencies in patient care and healthcare operations

Labor shortages. Burnout. Gaps in access to care. The healthcare industry has rising patient, caregiver and stakeholder expectations around customer experiences, increasing the...

Findings on the Healthcare Industry’s Lag to Adopt Technologies to Improve Data Management and Patient Care

Join us for this April 30th webinar to learn about 2024's State of the Market Report: New Challenges in Health Data Management.