Providence Health & Services Agrees To $100,000 Voluntary Settlement of Potential HIPAA Violation

The U.S. Department of Health and Human Services (HHS) issued a press release last Thursday that it had entered into a Resolution Agreement with Seattle-based Providence Heath & ServicesHealth Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules. The agreement calls for Providence to pay a voluntary settlement of $100,000 and implement a detailed corrective action plan to ensure against future theft or loss of electronic patient health information (ePHI).

The incidents giving rise to the agreement involved two Providence entities, Providence Home and Community Services and Providence Hospice and Home Care. On or about December 30, 2005, data contained on several computer backup disks and tapes was stolen from the unattended car of a Providence employee. In addition to the theft of disks and tapes, several laptop computers were stolen from Providence employees on September 29, 2005, December 7, 2005, February 27, 2006, and March 3, 2006. The laptops, disks and tapes involved in those thefts contained the unencrypted records of more than 386,000 patients of Providence.

Under the terms of the Resolution Agreement, Providence agrees to pay $100,000 by check or electronic funds to HHS. Providence also agrees to enter into and abide by the terms of the Corrective Action Plan that is incorporated into the agreement. The Corrective Action Plan is effective for three years and requires that Providence submit copies of its written policies and procedures to HHS for approval. The Corrective Action Plan outlines nine categories of minimum content required in the policies and procedures. Specifically, the Corrective Action Plan requires that Providence to:

• Conduct a risk assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI when it is created, received, maintained, used or transmitted off-site;
• Implement a risk management plan that incorporates security measures sufficient to reduce the risks and vulnerabilities identified by the risk assessment to a reasonable and appropriate level; and
• Implement several physical and technical safeguards, including encryption, to ensure the protection of ePHI whenever it is stored or transported off-site by any portable device or electronic media.

The Corrective Action Plan also requires Providence train and monitor its workforce so that all employees are familiar with the policies and procedures. Providence is also required to submit to HHS both a one-time Implementation Report and Annual Reports for three years detailing its compliance to the policies and procedures under the Resolution Agreement.

Initially, HHS officials received more than 30 complaints about the stolen tapes and disks after Providence, pursuant to state notification laws, informed patients of theft. Providence also reported the stolen media to HHS. Providence faced a pending class action lawsuit alleging that the health system failed to safeguard the data as required by HIPAA and violated Oregon’s Unfair Trade Practices Act. The proposed class action was dismissed in November, 2007. The incident was also investigated by the Oregon Attorney General’s Office resulting in an Assurance of Voluntary Compliance Agreement requiring Providence to provide credit monitoring services, credit restoration services, implement security program enhancements and pay $95,764 into the Consumer Protection and Education Revolving Account.

Providence settlement and corrective action plan sends a signal that OCR and CMS are taking a stronger position against privacy and security incidents. The settlement should prompt providers who are required to comply with HIPAA to reexamine their privacy and security policies, procedures, employee training protocols and ongoing monitoring of compliance.

New HHS HIPAA Privacy Compliance and Enforcement Data

DHHS and the Office for Civil Rights (OCR) have added new enforcement statistics and data to the OCR HIPAA Privacy and Compliance and Enforcement site. Previously, I've posted about the statistics.

OCR added new information broken down by the following topics:

• Charts showing state-specific case investigation results (West Virginia shows (see the graphic above): 71% resolved after intake and review; 18% corrective action taken; 11% no violation)
• Calendar-year enforcement results graphs and charts
• Calendar-year graphs showing the number of complaints received
• Yearly variation in the top 5 types of issues resolved through corrective action

The statistics show that the number of complaints made to OCR continue to increase -- from 6,534 complaints in 2004 to 8,132 complaints in 2007.

Also, the statistics show that the top 5 types of complaints requiring corrective action have remained fairly consistent - except in 2007 "notice" jumps into the top 5.

I would be interested to hear others thoughts on the compliance statistics.

New HIPAA Privacy Compliance and Enforcement Website

Yesterday I received an email via the OCR-Privacy listserv announcing the launch of a new HHS web site on HIPAA Privacy Compliance and Enforcement.

I haven't had time to check out the new website but plan to in the coming days. While scanning the website I found the "Enforcement Highlights" and "Case Examples" section very interesting. In the meantime, here is the press release issued in the email by HHS.

To coincide with the fourth anniversary of the enforcement of the HIPAA Privacy Rule, the Department of Health and Human Services (HHS) announced today the launch of an enhanced Web site that will make it easier for consumers, health care providers and others to get information about how the Department enforces health information privacy rights and standards. In launching the website, Winston Wilkinson, the Director of the HHS Office for Civil Rights, noted: "HHS has obtained significant change in the privacy practices of covered entities through its enforcement program. Corrective actions obtained by HHS from these entities have resulted in change that is systemic and affects all the individuals they serve."

The Health Information Privacy Web site provides comprehensive information about the Privacy Rule, which creates important federal rights and requirements to protect the privacy of personal health information. The enhanced Web site, http://www.hhs.gov/ocr/privacy/enforcement provides information for consumers, health care providers, health plans and others in the health care industry about HHS’s compliance and enforcement efforts. The new information describes HHS activities in enforcing the Privacy Rule, the results of those enforcement activities, and statistics showing which types of complaints are received most frequently and the types of entities most often required to take corrective as a result of consumer complaints. The other information on the Web site covers consumers’ rights to access their health information and significantly control how their personal health information is used and disclosed, as well as guidance about how to submit complaints about possible violations of the law and extensive guidance for entities who must comply with the rule.

HHS issued the patient privacy protections pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The first and only comprehensive federal privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers took effect on April 14, 2003. Developed by HHS, these standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed. The regulation covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions (e.g., enrollment, billing and eligibility verification) electronically. HHS has conducted extensive outreach and provided guidance and technical assistance to providers and businesses to help them to implement the new privacy protections. These materials are available at http://www.hhs.gov/ocr/hipaa.