On July 15, 2008, the U.S. Department of Health and Human Services (“HHS”) entered into a Resolution Agreement with Providence Health & Services (“Providence”) that included a monetary settlement to address potential privacy and security violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Resolution Agreement is notable because it is the first to include a monetary settlement.

Previous HIPAA violations investigated by HHS and the Centers for Medicare & Medicaid Services (“CMS”) had been settled with the subject entities when they agreed to make changes to their privacy and security policies and implementation practices. This Resolution Agreement signifies a departure from CMS’s usual enforcement practices, and also highlights for employers the need for covered entities, including group health plans, to comply with the requirements of HIPAA.

Through its Privacy and Security rules, HIPAA requires health plans, health care clearinghouses and health care providers to implement and apply certain privacy and security practices to protect individually identifiable health information. Despite this mandate, however, during 2005 and 2006, backup tapes, optical disks and laptops containing unencrypted electronic protected health information were removed from two Providence entities and left unattended or stolen. The media and laptops contained the protected health information of more than 386,000 patients.

Upon discovering the error, Providence notified patients to the theft and also alerted HHS. HHS focused its investigation on Providence’s failure to implement policies and procedures to safeguard the individually identifiable information. Under the Resolution Agreement and to address any potential HIPAA Privacy and Security Rules violations, Providence has agreed to pay $100,000 and implement a corrective action plan to ensure that it will appropriately safeguard identifiable electronic patient information against future theft or loss. The corrective plan requires Providence to revise its HIPAA policies and procedures regarding physical and technical safeguards, including encryption, off-site transport and storage of electronic media containing patient information, workforce training, conducting audits and site visits, and submitting compliance reports to HHS.

It is important to note that the Resolution Agreement was entered into without proof of actual disclosure of individually identifiable information contrary to the HIPAA Privacy and Security rules. Moreover, upon publication of the Resolution Agreement, the acting administrator of CMS warned that covered entities that are not in compliance with the rules should become so, and that in addition to having clear and compliant policies, covered entities should ensure that they are compliant in the execution of their policies. We recommend that employers take action to ensure their health plans are compliant with the HIPAA Privacy and Security rules.