On July 17, 2008, the United States Department of Health and Human Services ("HHS") entered into a Resolution Agreement with Providence Health & Services ("Providence") to settle alleged violations of the privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") (the "Privacy Rule" and the "Security Rule"). This is the first time a HIPAA covered entity has been required to enter into a Resolution Agreement for alleged violations of the Privacy and Security Rules.

The circumstances underlying the Resolution Agreement involved Providence Home and Community Services and Providence Hospice and Home Care, two entities within the Providence health system. Between September 2005 and March 2006, backup tapes, optical disks and laptop computers that contained unencrypted protected health information ("PHI") were removed from Providence's facilities, left unattended and ultimately lost or stolen. The electronic media and laptop computers contained the PHI of over 386,000 patients.

Providence reported the issue to HHS and, pursuant to state breach notification laws, informed patients of the theft. A number of these patients then filed complaints with HHS. HHS' Office for Civil Rights ("OCR") and the Centers for Medicare and Medicaid Services ("CMS"), responsible for enforcing the Privacy Rule and the Security Rule, respectively, investigated the complaints against Providence. According to HHS, both OCR and CMS focused on Providence's failure to implement policies and procedures to safeguard the privacy and security of the PHI.

Under the terms of the Resolution Agreement, Providence has agreed to pay $100,000 to HHS and to implement a Corrective Action Plan that includes: 

  • Revising the organization's policies and procedures regarding physical and technical safeguards governing off-site transport and storage of electronic media containing PHI.
  • Training workforce members with respect to the safeguards implemented to protect the privacy and security of PHI. 
  • Conducting audits and site visits of the Providence facilities. 
  • Submitting compliance reports to HHS for a period of three years.

The $100,000 resolution amount paid by Providence did not constitute a civil money penalty.

According to Kerry Weems, acting administrator of CMS, "this resolution confirms that effective compliance means more than just having written policies and procedures…covered entities need to continuously monitor the details of their execution, and ensure that these efforts include effective privacy and security staffing, employee training and physical and technical features."