Interesting news on the HIPAA front. Seattle-based Providence Health & Services has agreed to a settlement over HIPAA security and privacy violations, the U.S. Department of Health and Human Services (HHS) announced last week. In what HHS called the first of its kind “resolution agreement,” Providence will pay $100,000 and implement a corrective plan after losing backup media and laptops containing personal health information in 2005 and 2006.
Previously, HHS’ Office for Civil Rights (OCR) and the Centers for Medicare & Medicaid Services (CMS), which enforce HIPAA’s privacy and security rules, settled complaints by requiring organizations to make changes to their security and privacy practices. A CMS spokesman said last fall that the agency preferred resolving problems rather than punishing mistakes, but this agreement with Providence may indicate that the government is stepping up HIPAA enforcement. A statement by Winston Wilkinson, OCR director, certainly seems to signal a change: “We are committed to effective enforcement of health information privacy and security protections for consumers. Other covered entities that are not in compliance with the privacy and security rules may face similar action.”
In the Providence case, backup tapes, optical disks and laptops containing unencrypted personally identifiable health information were taken out of two Providence home health care operations and later lost or stolen. More than 360,000 patients were affected. In addition to the fine, Providence agreed to revise its policies and procedures regarding safeguards for off-site transport and storage of electronic media containing patient information. It also must train employees on the safeguards, conduct audits and site visits of facilities, and submit compliance reports to HHS for three years.