HHS has entered into a Resolution Agreement with Seattle-based Providence Health & Services (Providence) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. This is the first time HHS has required a Resolution Agreement from a covered entity. Under the agreement, Providence will pay $100,000 and implement a detailed Corrective Action Plan (CAP) to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss. Providence's cooperation with the Office of Civil Rights (OCR) and CMS allowed HHS to resolve this case without the imposition of civil money penalties.
HIPAA violations. On several occasions between September 2005 and March 2006, backup tapes, optical disks, and laptops, all containing unencrypted electronic protected health information (PHI), were removed from the Providence premises and left unattended. The media and laptops were subsequently lost or stolen, compromising the PHI of over 386,000 patients. HHS received over 30 complaints about the stolen tapes and disks after Providence alerted patients to the theft.
CAP. The CAP requires that Providence: (1) revise its policies and procedures regarding encryption and physical safeguards governing off-site transport and storage of electronic media containing patient information, subject to HHS approval; (2) train workforce members on the safeguards; (3) conduct audits and site visits of facilities; and (4) submit compliance reports to HHS for a period of three years.
HHS Press Release, July 17, 2008.
Visit our News Library to read more news stories.
