Providence Health will pay $100,000 and be subject to corrective action plan

The Department of Health and Human Services (HHS) announced it has entered into a Resolution Agreement with Providence Health & Services, a Seattle-based not-for-profit health system, to settle alleged violations of the HIPAA Privacy and Security Rules. This is the first time that a health care provider has been required to enter into such an agreement for Privacy or Security Rule violations; Providence has agreed to pay $100,000 and implement a detailed Corrective Action Plan to ensure future protection of electronic patient information against theft and loss.

The HHS investigation was prompted by multiple thefts of backup tapes, optical disks and laptops containing unencrypted electronic personal health information (ePHI) in 2005 and 2006. On more than one occasion, unencrypted data was housed on portable media, removed from the premises and left unattended by employees. The resulting thefts involved the loss of data for more than 386,000 patients. Providence notified patients of the thefts pursuant to state notification laws, and HHS received more than 30 complaints. Providence also self-reported the stolen media to HHS.

The Resolution Agreement

The Resolution Agreement is essentially a contract between Providence and HHS, under which the health system agrees to pay a $100,000 fine; develop and implement security policies and procedures; conduct staff training; conduct audits and site visits to Providence facilities; and submit reports to HHS regarding implementation and compliance. The Agreement will be in effect for three years, during which time HHS reserves the right to impose civil monetary penalties if the requirements outlined in the agreement are not met. The full Agreement can be read at

HHS Enforcement

HHS is stepping up enforcement of the HIPAA Privacy and Security Rules. The Office of Civil Rights, which enforces the HIPAA Privacy Rule, and the CMS Office of E-Health Standards and Services (OESS), which enforces the Security Rule, worked together on the Providence investigation and are parties to the agreement. OESS has announced that it will conduct at least 10 HIPAA Security Compliance Reviews by December of 2008 and has contracted with PricewaterhouseCoopers to conduct these security audits.

What You Should Do:

  • Assess overall security plans and determine whether your program is keeping pace with
    developments in the area of healthcare data security. Evaluate the risks, document the
    decisions made and implement the changes.
  • Update security awareness training and education and ensure that it is on-going. Security
    compliance cannot be achieved without effective training.
  • CMS has published an “Interview and Document Request List for HIPAA Security On-Site
    Investigations and Compliance Reviews.” Ensure that all items are covered and
    appropriately documented in your enterprise security plan.