Several years after the HIPAA privacy and security standards became effective, the U.S. Department of Health and Human Services ("HHS") has stepped up its enforcement activities, recently fining a healthcare system $100,000 for HIPAA violations. On July 15, 2008, HHS entered into a Resolution Agreement with Providence Health & Services, Providence Health System-Oregon and Providence Hospice and Home Care, all related non-profits based in Washington and Oregon states (collectively, "Providence"). The agreement resulted from an HHS investigation of five incidents in late 2005 and early 2006 in which Providence staff members, in violation of applicable security policies, had taken off premises laptops, tapes and disks that contained electronic protected health information ("ePHI"). The media and laptops were subsequently lost or stolen. There was no indication in the documents that the ePHI at issue was improperly used by the persons who stole the laptops, tapes and disks, or any other party, or whether the ePHI was ever recovered.
Under the Corrective Action Plan appended to its Resolution Agreement, Providence is subject to tough terms that include revised policies and procedures, re-training for all workers and increased self-auditing. In addition, the agreement imposed outside monitoring and regular reporting requirements. If HHS is not satisfied with Providence's intensified compliance activities, Providence is potentially subject to fines in addition to the original $100,000.
This is not HHS's first HIPAA enforcement action but is its most significant to date. Since HIPAA's implementation, the Office for Civil Rights at HHS, which handles HIPAA complaints, has received over 30,000 complaints that have led to more than 5,000 corrective actions and more than 400 referrals to the U.S. Department of Justice for possible criminal violations. In general, however, HHS' philosophy of enforcement has been to emphasize compliance rather than punishment, working with the provider to develop better systems and procedures. But with the imposition of this substantial monetary penalty, HHS has given real teeth to HIPAA enforcement and indicated an intention to become more punitive, presumably on the theory that providers have had sufficient time to bring their operations into compliance. Hospitals and other organizations subject to HIPAA should consider assessing their own compliance in light of this development.