For those who were wondering when the federal government would start taking a more aggressive, proactive approach to HIPAA privacy and security enforcement, they now have their answer.
On July 17, 2008, the United States Department of Health and Human Services (HHS) entered into a Resolution Agreement with Seattle-based Providence Health & Services to settle alleged violations of the HIPAA Privacy Rule and Security Rule. This is the first time a HIPAA covered entity has been required to enter into a Resolution Agreement for alleged violations of the Privacy and Security Rules.
The factual circumstances that resulted in the Resolution Agreement involved Providence Home and Community Services and Providence Hospice and Home Care, two entities within the Providence health system. Between September 2005 and March 2006, backup tapes, optical disks and laptop computers that contained unencrypted protected health information ("PHI") were removed from Providence's facilities, left unattended and ultimately lost or stolen. The electronic media and laptop computers contained the PHI of over 386,000 patients.
Under the terms of the Resolution Agreement, Providence agreed to pay $100,000 to HHS and to implement a Corrective Action Plan that includes:
(1) Subject to HHS approval, revising its policies and procedures regarding physical and technical safeguards governing off-site transport and storage of electronic media containing PHI;
(2) Training workforce members with respect to the safeguards implemented to protect the privacy and security of PHI;
(3) Conducting audits and site visits of the Providence facilities; andÂ
(4) Submitting compliance reports to HHS for a period of three years.
It is significant to note the $100,000 resolution amount does not constitute a civil money penalty.
The security breach incident that prompted this Resolution Agreement is certainly not unique. Other healthcare organizations have suffered comparable breaches in just the past year. It will be very interesting to observe, however, whether this Resolution Agreement is unique, or the beginning of a new series of HIPAA enformcent actions by the HHS Office for Civil Rights (OCR) and the Centers for Medicare and Medicaid Services (CMS).