The incidents giving rise to the agreement involved two Providence entities, Providence Home and Community Services and Providence Hospice and Home Care. On or about December 30, 2005, data contained on several computer backup disks and tapes was stolen from the unattended car of a Providence employee. In addition to the theft of disks and tapes, several laptop computers were stolen from Providence employees on September 29, 2005, December 7, 2005, February 27, 2006, and March 3, 2006. The laptops, disks and tapes involved in those thefts contained the unencrypted records of more than 386,000 patients of Providence.
Under the terms of the Resolution Agreement,
- Conduct a risk assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI when it is created, received, maintained, used or transmitted off-site;
- Implement a risk management plan that incorporates security measures sufficient to reduce the risks and vulnerabilities identified by the risk assessment to a reasonable and appropriate level; and
- Implement several physical and technical safeguards, including encryption, to ensure the protection of ePHI whenever it is stored or transported off-site by any portable device or electronic media.
Initially, HHS officials received more than 30 complaints about the stolen tapes and disks after Providence, pursuant to state notification laws, informed patients of theft. Providence also reported the stolen media to HHS. Providence faced a pending class action lawsuit alleging that the health system failed to safeguard the data as required by HIPAA and violated Oregon’s Unfair Trade Practices Act. The proposed class action was dismissed in November, 2007. The incident was also investigated by the Oregon Attorney General’s Office resulting in an Assurance of Voluntary Compliance Agreement requiring Providence to provide credit monitoring services, credit restoration services, implement security program enhancements and pay $95,764 into the Consumer Protection and Education Revolving Account.
Providence settlement and corrective action plan sends a signal that OCR and CMS are taking a stronger position against privacy and security incidents. The settlement should prompt providers who are required to comply with HIPAA to reexamine their privacy and security policies, procedures, employee training protocols and ongoing monitoring of compliance.
1 comment:
Despite recent enforcement action at Providence Health & Services, much needed change to the enforcement of HIPAA is required. HIPSA may be the answer...
In July, Sen. Edward Kennedy and Sen. Patrick Leahy introduced the Health Information Privacy and Security Act of 2007 (HIPSA) that apparently would not replace HIPAA but require the Department of Health and Human Services to revise HIPAA to be consistent with HIPSA.
HIPSA requires the establishment of an Office of Health Information Privacy at DHHS and gives it enforcement powers to impose criminal and civil penalties for unauthorized disclosure of patient information. In addition, HIPSA would permit individuals to sue for compensatory damages and receive punitive damages in cases of unauthorized disclosure. Moreover, HIPSA would authorize state attorney generals to sue on behalf of state residents and permit whistle blowers who report violations to be protected from retaliation.
As a consultant providing HIPAA compliance services to healthcare, HIPSA has the ability to move privacy and security compliance closer to the recognition OSHA stands for enforcement. Only then will we see a reduction in patient records "snooping", lost patient data and a renewed commitment to safeguarding Protected Health Information.
More on HIPAA compliance at: http://grantpeterson.matrixblogsuite.com/index.aspx
Post a Comment