HHS, Providence Health & Services Agree on Corrective Action Plan to Protect Health Information
On July 16, 2008, the U.S. Department of Health & Human Services (HHS) entered into a Resolution Agreement with Seattle-based Providence Health & Services (Providence) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
In the agreement, Providence agrees to pay $100,000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss. The Resolution Agreement relates to Providence's loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006.
A Resolution Agreement is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS for a period of years, typically three years. During the period, HHS monitors the compliance of the covered entity with the obligations it has agreed to perform.
With respect to the HIPAA Privacy and Security Rules, this is the first time HHS has required a Resolution Agreement from a covered entity. Providence's cooperation with OCR and CMS allowed HHS to resolve this case without the need to impose a civil money penalty.
The incidents giving rise to the agreement involved two entities within the Providence health system, Providence Home and Community Services and Providence Hospice and Home Care. On several occasions between September 2005 and March 2006, backup tapes, optical disks, and laptops, all containing unencrypted electronic protected health information, were removed from the Providence premises and were left unattended. The media and laptops were subsequently lost or stolen, compromising the protected health information of over 386,000 patients. HHS received over 30 complaints about the stolen tapes and disks, submitted after Providence, pursuant to state notification laws, alerted patients to the theft. Providence also reported the stolen media to HHS. OCR and CMS together focused their investigations on Providence's failure to implement policies and procedures to safeguard this information.
As a result, Providence agrees to pay a $100,000 resolution amount to HHS and implement a robust Corrective Action Plan that requires: revising its policies and procedures regarding physical and technical safeguards (e.g., encryption) governing off-site transport and storage of electronic media containing patient information, subject to HHS approval; training workforce members on the safeguards; conducting audits and site visits of facilities; and submitting compliance reports to HHS for a period of three years.