• Home
• |
• Professionals
  • Attorneys
  • Management
• |
• Practice Areas
• |
• News
  • Firm News
  • Recent Cases
  • Upcoming Events
• |
• Resources
  • Publications
  • HIPAA Resources
  • Practice Technology
• |
• Diversity
• |
• Contact
  • Offices
  • Directions
• |
• Search

Publications

Print

• Publications
• Health Care Updates
• HIPAA Resources
• Practice Technology

Providence Health will pay $100,000 and be subject to Corrective Action Plan

The Department of Health and Human Services ("HHS") announced it has entered into a Resolution Agreement with Providence Health & Services, a Seattle-based not-for-profit health system ("Providence"), to settle alleged violations of the HIPAA Privacy and Security Rules. This is the first time that a health care provider has been required to enter into such an agreement for Privacy or Security Rule violations. Providence has agreed to pay $100,000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable electronic protected health information against theft or loss.

The HIPAA Privacy Rule is enforced by HHS Office for Civil Rights ("OCR"), and the HIPAA Security Rule is enforced by HHS' Centers for Medicare & Medicaid Services ("CMS"). The HIPAA Privacy and Security Rules require health plans, healthcare clearinghouses and most healthcare providers (covered entities) to safeguard the privacy of certain individually identifiable health information and meet additional security standards for protected health information ("PHI") maintained in electronic form.

The Alleged HIPAA Violations

Providence operates numerous healthcare entities, including a health plan, physician clinics, 26 hospitals and more than 35 non-acute facilities. According to the HHS, the Resolution Agreement "relates to Providence's loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006." The incidents involved two entities within the Providence health system, Providence Home and Community Services and Providence Hospice and Home Care. Specifically, on "several occasions between September 2005 and March 2006, backup tapes, optical disks, and laptops, all containing unencrypted electronic protected health information, were removed from the Providence premises and were left unattended." In one of the incidents, four backup tapes and two optical disks were left unattended overnight in the vehicle of an employee and then were stolen. In other incidents, laptops containing electronic PHI ("ePHI") were left unattended and were stolen from members of Providence's workforce. The ePHI on laptops, tapes and disks was not encrypted, and their theft compromised the protected health information of over 386,000 patients. Providence notified patients of the thefts pursuant to state security breach notification laws, and HHS received more than 30 complaints. Providence also had reported the incidents to HHS.

The Governmental Investigations

Because both OCR and CMS have relevant enforcement authority, a joint investigation was conducted by both enforcement agencies. OCR and CMS together focused their investigations on Providence's failure to implement policies and procedures to safeguard the electronic protected health information.

The theft of the backup tapes and disks was also investigated by the Oregon Attorney General's Office, resulting in an Assurance of Voluntary Compliance Agreement requiring Providence to provide credit monitoring services, credit restoration services, implement security program enhancements and pay $95,764 into the Consumer Protection and Education Revolving Account.

The Corrective Action Plan/Resolution Agreement

While HHS has previously required covered entities alleged to have violated HIPAA Privacy and Security Rules to implement corrective action measures, this is the first time HHS has required a covered entity to enter into a resolution agreement to resolve an alleged HIPAA violation. The Resolution Agreement is essentially a settlement agreement between Providence and HHS, under which the health system agrees to pay a $100,000 fine, revise security policies and procedures, conduct staff training, conduct audits and site visits to Providence facilities, and submit reports to HHS regarding implementation and compliance. The Resolution Agreement includes a Corrective Action Plan. The Corrective Action Plan will be in effect for three years, during which time HHS reserves the right to impose civil monetary penalties if the requirements outlined in the Resolution Agreement and Corrective Action Plan are not met.

Policies and Procedures. Providence must review and revise its data privacy and security policies and procedures to ensure compliance with the Privacy and Security Rules. They must include the following requirements:

• A risk assessment of potential risk and vulnerabilities to the confidentiality, integrity and availability of electronic PHI created, received, maintained, used or transmitted off-site
• A risk management plan with security measures "sufficient to reduce risks and vulnerabilities identified by the risk assessment to a reasonable and appropriate level"
• Physical safeguards governing the off-site transport and storage of backup electronic media containing electronic PHI
• Physical safeguards governing the physical security of portable devices containing electronic PHI
• Technical safeguards governing "encryption" and other means (e.g. passwords) to secure portable devices and backup electronic media containing electronic PHI
• Notification to OCR and CMS of any violation of the policies and procedures. The notification must describe the violation, the persons involved, the provision(s) of Policies and Procedures implicated, and the actions taken to mitigate any harm and prevent recurrence

Providence must submit its revised policies and procedures to OCR and CMS for approval. Once approved, Providence must certify that it has implemented the policies and procedures within 60 days of OCR/CMS approval, and has distributed the policies and procedures to its workforce within 30 days of OCR/CMS approval. Workforce members must certify their receipt, review and understanding of and commitment to abide by the policies and procedures. Providence must reassess, update and revise the policies and procedures as needed, but not less than annually. Each revision must be approved by OCR and CMS, then redistributed to Providences workforce.

Training. Providence must train its workforce on the approved policies and procedures within 90 days of their approval and, for new workforce members, within 30 days of those workforce members start with Providence. Providence must review and update its training programs and processes at least annually. Each workforce member must certify to receiving the training. No workforce member may be involved with off-site transport or storage of backup electronic media or with portable devices containing electronic PHI until the workforce member has certified that he or she has undergone this training.

Monitoring. Providence must conduct monitoring reviews at least quarterly to validate that Providence's workforce is familiar with and complying with the policies and procedures, and that backup electronic media and portable devices containing electronic PHI are being secured in accordance with the policies and procedures. Monitoring reviews must include (a) unannounced site visits to Providence's facilities, (b) interviews with a random sample of workforce members and with workforce members specifically involved with the supervision, use, retention or destruction of backup electronic media, and (c) inspection of a random sample of portable devices containing electronic PHI under the control of workforce members. Based on the monitoring review, Providence must: (a) identify any risks to the electronic protected health information residing on backup media or portable devices; (b) develop recommendations to reduce such risks or vulnerabilities to a reasonable and appropriate level; and (c) ensure that Covered Entities implement the risk management steps.

Implementation Report and Annual Reports. Providence's Chief Information Security Officer must attest to OCR and CMS, within 120 days of the approval of Providence's revised policies and procedures, that the approved policies and procedures are being implemented, that they have been distributed and remain available to Providence's workforce, that the workforce has been trained on the approved policies and procedures, that all certifications required of workforce members have been collected, and that each of Providence's locations is complying with the CAP. The Chief Information Security Officer must attest that this "implementation report" results from "a reasonable inquiry regarding its content" and that he "believes that, upon such inquiry, the information is accurate and truthful." Providence's training materials, a description of its training, a summary of the topics covered by its training, the lengths of its training sessions, a schedule of its training sessions held, and information about each location at which Providence is doing business must accompany the implementation report.

Providence must also submit an "annual report" to OCR and CMS confirming its compliance with the CAP for three reporting periods. The annual report must be accompanied by a record of each quarterly monitoring review and the training schedule, training topics outline and training materials used by Providence during the annual reporting period. The annual report must include a summary of any violations of Providences policies and procedures during the year, and the status of any corrective and preventative actions relating to such violations. Providence's Chief Information Security Officer must attest that all required training certifications have been obtained, training complies with CAP requirements, he has reviewed the annual report, and the annual report results from "a reasonable inquiry regarding its content" and he "believes that, upon such inquiry, the information is accurate and truthful." Providence must retain all documentation and records regarding its compliance with the Corrective Action Plan for six years following the Corrective Action Plan's effective date.

Conclusion

The Providence Resolution Agreement and Corrective Action Plan sends a message that OCR and CMS are taking a stronger position against privacy and security incidents. Providence's cooperation with OCR and CMS allowed HHS to resolve this case without the need to impose a civil money penalty, which could have amounted to several million dollars based on the number of HIPAA violations that occurred. In the Providence press release, HHS officials state that HIPAA compliance requires more than simply having written policies and procedures, and note that covered entities must engage in a continuous monitoring of policy compliance, including staff education and training, privacy and security staffing, and physical and technical safeguards.

Recommended Data Security Breach Prevention and Mitigation Strategies

• Inventory all electronic protected health information in the health care organization's possession and consider minimizing the amount of protected health information retained
• Assess breach vulnerability for each type of electronic protected health information
• Benchmark current security initiatives against what is required under HIPAA, state security breach laws and related sources. Make sure to keep pace with technological developments in the privacy and security protection. Encryption is now affordable for most covered entities
• Assess overall security plans and determine whether your program is keeping pace with developments in the area of healthcare data security. Evaluate the risks, document the decisions made and implement the changes
• Limit access to protected health information utilizing adequate administrative, technical, and physical safeguards
• Use intrusion technology to detect breaches rapidly
• Dispose of protected health information in a timely and effective manner
• Update security awareness training and education and ensure that it is on-going. Security compliance cannot be achieved without effective training
• Audit and monitor internal processes to make sure that HIPAA privacy security policies and procedures are being followed
• Identify an internal security breach response team, assign tasks and responsibilities, and practice how the organization would respond in the event of a security breach. Develop template documents likely to be used in the event of a breach
• When a security incident occurs, re-evaluate HIPAA security policies and procedures and implement changes as required, and consult with legal counsel regarding disclosure to government agencies

Theodora Oringher Miller & Richman has the expertise to assist health care organizations with HIPAA Privacy and Security compliance strategies. For more information about policies and procedures, training, on-site investigations and compliance reviews discussed in this Legal Update, please contact Michael Dowell at mdowell@tocounsel.com or the lawyer in the firm who generally handles your health care legal matters.