The incidents giving rise to the agreement involved two Providence entities, Providence Home and Community Services and Providence Hospice and Home Care. On or about December 30, 2005, data contained on several computer backup disks and tapes was stolen from the unattended car of a Providence employee. In addition to the theft of disks and tapes, several laptop computers were stolen from Providence employees on September 29, 2005, December 7, 2005, February 27, 2006, and March 3, 2006. The laptops, disks and tapes involved in those thefts contained the unencrypted records of more than 386,000 patients of Providence.
Under the terms of the Resolution Agreement,
- Conduct a risk assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI when it is created, received, maintained, used or transmitted off-site;
- Implement a risk management plan that incorporates security measures sufficient to reduce the risks and vulnerabilities identified by the risk assessment to a reasonable and appropriate level; and
- Implement several physical and technical safeguards, including encryption, to ensure the protection of ePHI whenever it is stored or transported off-site by any portable device or electronic media.
Initially, HHS officials received more than 30 complaints about the stolen tapes and disks after Providence, pursuant to state notification laws, informed patients of theft. Providence also reported the stolen media to HHS. Providence faced a pending class action lawsuit alleging that the health system failed to safeguard the data as required by HIPAA and violated Oregon’s Unfair Trade Practices Act. The proposed class action was dismissed in November, 2007. The incident was also investigated by the Oregon Attorney General’s Office resulting in an Assurance of Voluntary Compliance Agreement requiring Providence to provide credit monitoring services, credit restoration services, implement security program enhancements and pay $95,764 into the Consumer Protection and Education Revolving Account.
Providence settlement and corrective action plan sends a signal that OCR and CMS are taking a stronger position against privacy and security incidents. The settlement should prompt providers who are required to comply with HIPAA to reexamine their privacy and security policies, procedures, employee training protocols and ongoing monitoring of compliance.