HHS recently reached a "Resolution Agreement" for the first time with a covered entity for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The alleged HIPAA violations occurred in 2005 and 2006, when laptops, backup tapes, and optical disks containing unencrypted personal health information for 386,000 patients were removed from Providence Health & Services (Providence) premises, left unattended, and subsequently lost or stolen. Providence alerted HHS, as well as the affected patients, and cooperated with the government in the investigation and settlement process. In the Resolution Agreement, Providence agreed to a settlement involving the payment of a $100,000 "resolution amount" to HHS, and implementation of a detailed Corrective Action Plan which includes the revision of its policies and procedures relating to off-site storage and transportation of media containing personal health information, additional staff training, audits and site visits, and the submission of compliance reports to HHS for three years. According to HHS, Providence's cooperation in the matter prompted HHS to refrain from imposing civil penalties; however, it remains unclear what the $100,000 "resolution amount" is designed to be, if not a monetary penalty relating to the alleged violations. The Providence Resolution Agreement is available on the HHS Office of Civil Rights (OCR) website. The OCR and CMS are the HHS branches responsible for HIPAA enforcement.