When the government enters into a settlement agreement or corrective action plan to correct an alleged violation of law, the plan typically includes more rigorous compliance standards than would ordinarily be expected of an organization. The recent landmark Settlement Agreement and Corrective Action Plan entered into between the Department of Health and Human Services and Providence Health & Services is no exception. The Corrective Action Plan does, however, provide a clearer picture into how HHS is thinking about HIPAA compliance matters. The standards included in the Providence plan certainly constitute privacy and security best practices, and could be an indication that HHS (through its agencies the Centers for Medicare and Medicaid Services and the Office of Privacy Protection) is raising the bar for HIPAA compliance.
Under the terms of the Corrective Action Plan, Providence is required to:
(1)Â Implement specific physical and technical safeguards governing the off-site storage and transport of backup electronic media and the physical security of portable devices;
(2)Â Implement technical safeguards governing encryption of backup electronic media and portable devices;
(3)Â Implement other technical safeguards (e.g., password protection) for backup electronic media and portable devices; and
(4)Â On a quarterly basis, the Chief Information Security Officer is required to conduct "Monitor Reviews," which must include unannounced site visits, interviews with a random sample of workforce members who use backup electronic media and portable devices, and random inspection of a sample of portable devices.
Consistent with the guidance document issued by CMS in 2006 on security of portable devices, HHS clearly views backup electronic media and portable devices as a major security risk. All HIPAA covered entities would be well served to take a long, hard look at the Providence Corrective Action Plan and consider whether they should heighten their security compliance efforts in this area.