The Department of Health and Human Services (HHS) and Providence Health & Services have entered into a Resolution Agreement that includes a payment to HHS and corrective action plan for the Seattle-based health system to settle potential HIPAA privacy and security rule violations that occurred in 2005 and 2006, according to a July 17 HHS press release.
In addition to paying the $100,000 resolution amount to HSS, Providence has agreed to a “robust” corrective action plan to help ensure the future protection of its electronic PHI from theft or loss, according to the press release.
The Resolution Agreement comes after two entities within the Providence health system—Providence Home and Community Services and Providence Hospice and Home Care—were involved in several incidents in 2005 and 2006 dealing with the loss or theft of multiple items containing the unencrypted PHI of more than 386,000 patients, according to the press release. The items included laptop computers, optical disks, and electronic backup tapes, all of which HIPAA required Providence to safeguard because they contained patient information.
According to the press release, the corrective action plan requires the following:
- Revised policies and procedures for physical and technical safeguards relating to storage and transport of devices or media containing PHI, subject to the approval of HHS
- Work force training for staff members
- Mandatory audits and facility site visits
- Submission of compliance reports to HHS for three years
To view the HHS press release, visit www.hhs.gov/news/press/2008pres/07/20080717a.html.
To view the resolution agreement, visit www.hhs.gov/ocr/privacy/enforcement/resolution.html.