Providence Health & Services Agrees To $100,000 Voluntary Settlement of Potential HIPAA Violation

The U.S. Department of Health and Human Services (HHS) issued a press release last Thursday that it had entered into a Resolution Agreement with Seattle-based Providence Heath & ServicesHealth Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules. The agreement calls for Providence to pay a voluntary settlement of $100,000 and implement a detailed corrective action plan to ensure against future theft or loss of electronic patient health information (ePHI).

The incidents giving rise to the agreement involved two Providence entities, Providence Home and Community Services and Providence Hospice and Home Care. On or about December 30, 2005, data contained on several computer backup disks and tapes was stolen from the unattended car of a Providence employee. In addition to the theft of disks and tapes, several laptop computers were stolen from Providence employees on September 29, 2005, December 7, 2005, February 27, 2006, and March 3, 2006. The laptops, disks and tapes involved in those thefts contained the unencrypted records of more than 386,000 patients of Providence.

Under the terms of the Resolution Agreement, Providence agrees to pay $100,000 by check or electronic funds to HHS. Providence also agrees to enter into and abide by the terms of the Corrective Action Plan that is incorporated into the agreement. The Corrective Action Plan is effective for three years and requires that Providence submit copies of its written policies and procedures to HHS for approval. The Corrective Action Plan outlines nine categories of minimum content required in the policies and procedures. Specifically, the Corrective Action Plan requires that Providence to:

• Conduct a risk assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI when it is created, received, maintained, used or transmitted off-site;
• Implement a risk management plan that incorporates security measures sufficient to reduce the risks and vulnerabilities identified by the risk assessment to a reasonable and appropriate level; and
• Implement several physical and technical safeguards, including encryption, to ensure the protection of ePHI whenever it is stored or transported off-site by any portable device or electronic media.

The Corrective Action Plan also requires Providence train and monitor its workforce so that all employees are familiar with the policies and procedures. Providence is also required to submit to HHS both a one-time Implementation Report and Annual Reports for three years detailing its compliance to the policies and procedures under the Resolution Agreement.

Initially, HHS officials received more than 30 complaints about the stolen tapes and disks after Providence, pursuant to state notification laws, informed patients of theft. Providence also reported the stolen media to HHS. Providence faced a pending class action lawsuit alleging that the health system failed to safeguard the data as required by HIPAA and violated Oregon’s Unfair Trade Practices Act. The proposed class action was dismissed in November, 2007. The incident was also investigated by the Oregon Attorney General’s Office resulting in an Assurance of Voluntary Compliance Agreement requiring Providence to provide credit monitoring services, credit restoration services, implement security program enhancements and pay $95,764 into the Consumer Protection and Education Revolving Account.

Providence settlement and corrective action plan sends a signal that OCR and CMS are taking a stronger position against privacy and security incidents. The settlement should prompt providers who are required to comply with HIPAA to reexamine their privacy and security policies, procedures, employee training protocols and ongoing monitoring of compliance.