First HIPAA fine enforced

The news release speaks for itself:

The U.S. Department of Health & Human Services (HHS) has entered into a Resolution Agreement with Seattle-based Providence Health & Services (Providence) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. In the agreement, Providence agrees to pay $100,000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss.

Ouch. This follows a recent warning by the Department of Justice that HIPAA is now being taken seriously and will be enforced.

The incidents giving rise to the agreement involved two entities within the Providence health system, Providence Home and Community Services and Providence Hospice and Home Care. On several occasions between September 2005 and March 2006, backup tapes, optical disks, and laptops, all containing unencrypted electronic protected health information, were removed from the Providence premises and were left unattended. The media and laptops were subsequently lost or stolen, compromising the protected health information of over 386,000 patients. HHS received over 30 complaints about the stolen tapes and disks, submitted after Providence, pursuant to state notification laws, informed patients of the theft. Providence also reported the stolen media to HHS. OCR and CMS together focused their investigations on Providence’s failure to implement policies and procedures to safeguard this information.

It is vital to note in the above text how breach notification played a role.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.