The Providence HIPAA Corrective Action Plan: Raising the Compliance Bar?

June 24, 2011
When the government enters into a settlement agreement or corrective action plan to correct an alleged violation of law, the plan typically

When the government enters into a settlement agreement or corrective action plan to correct an alleged violation of law, the plan typically includes more rigorous compliance standards than would ordinarily be expected of an organization. The recent landmark Settlement Agreement and Corrective Action Plan entered into between the Department of Health and Human Services and Providence Health & Services is no exception. The Corrective Action Plan does, however, provide a clearer picture into how HHS is thinking about HIPAA compliance matters. The standards included in the Providence plan certainly constitute privacy and security best practices, and could be an indication that HHS (through its agencies the Centers for Medicare and Medicaid Services and the Office of Privacy Protection) is raising the bar for HIPAA compliance.

Under the terms of the Corrective Action Plan, Providence is required to:

(1)Â Implement specific physical and technical safeguards governing the off-site storage and transport of backup electronic media and the physical security of portable devices;

(2)Â Implement technical safeguards governing encryption of backup electronic media and portable devices;

(3)Â Implement other technical safeguards (e.g., password protection) for backup electronic media and portable devices; and

(4)Â On a quarterly basis, the Chief Information Security Officer is required to conduct "Monitor Reviews," which must include unannounced site visits, interviews with a random sample of workforce members who use backup electronic media and portable devices, and random inspection of a sample of portable devices.

Consistent with the guidance document issued by CMS in 2006 on security of portable devices, HHS clearly views backup electronic media and portable devices as a major security risk. All HIPAA covered entities would be well served to take a long, hard look at the Providence Corrective Action Plan and consider whether they should heighten their security compliance efforts in this area.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?