The Other Shoe Drops: HHS Announces The First HIPAA Resolution Agreement

June 24, 2011
For those who were wondering when the federal government would start taking a more aggressive, proactive approach to HIPAA privacy and security

For those who were wondering when the federal government would start taking a more aggressive, proactive approach to HIPAA privacy and security enforcement, they now have their answer.

On July 17, 2008, the United States Department of Health and Human Services (HHS) entered into a Resolution Agreement with Seattle-based Providence Health & Services to settle alleged violations of the HIPAA Privacy Rule and Security Rule. This is the first time a HIPAA covered entity has been required to enter into a Resolution Agreement for alleged violations of the Privacy and Security Rules.

The factual circumstances that resulted in the Resolution Agreement involved Providence Home and Community Services and Providence Hospice and Home Care, two entities within the Providence health system. Between September 2005 and March 2006, backup tapes, optical disks and laptop computers that contained unencrypted protected health information ("PHI") were removed from Providence's facilities, left unattended and ultimately lost or stolen. The electronic media and laptop computers contained the PHI of over 386,000 patients.

Under the terms of the Resolution Agreement, Providence agreed to pay $100,000 to HHS and to implement a Corrective Action Plan that includes:

(1) Subject to HHS approval, revising its policies and procedures regarding physical and technical safeguards governing off-site transport and storage of electronic media containing PHI;

(2) Training workforce members with respect to the safeguards implemented to protect the privacy and security of PHI;

(3) Conducting audits and site visits of the Providence facilities; andÂ

(4) Submitting compliance reports to HHS for a period of three years.

It is significant to note the $100,000 resolution amount does not constitute a civil money penalty.

The security breach incident that prompted this Resolution Agreement is certainly not unique. Other healthcare organizations have suffered comparable breaches in just the past year. It will be very interesting to observe, however, whether this Resolution Agreement is unique, or the beginning of a new series of HIPAA enformcent actions by the HHS Office for Civil Rights (OCR) and the Centers for Medicare and Medicaid Services (CMS).

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?