The violation, involving unprotected backup tapes, optical disks and laptops three years ago, compromised the protected health information of more than 386,000 patients, HHS officials said.
In addition to the fine - one of the heftiest levied by HHS thus far for a HIPAA violation – Providence will be required to follow a detailed corrective action plan for adequately safeguarding identifiable electronic patient information. HHS officials the resolution agreement is the first of its kind.
Winston Wilkinson, the director of the HHS' Office of Civil Rights (OCR), said other providers should take notice. The enforcement agency "is committed to effective enforcement of health information privacy and security protections for consumers," he said.
HIPAA requires covered entities under Medicare, including health plans, healthcare clearinghouses and most healthcare providers, to safeguard certain individually identifiable health information and to meet additional security standards for electronic patient information. The charge against Providence involved a security breach of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006.
The OCR and the Centers for Medicare & Medicaid Services report they have successfully resolved more than 6,700 HIPAA Privacy and Security Rule cases, each requiring the entities to make systemic changes to health information privacy and security practices. Providence's cooperation with the OCR and CMS allowed HHS officials to resolve the case without the need to impose a civil penalty (the $100,000 fine was called a "resolution amount" by HHS officials).
Wilkinson said the agency commends Providence for its cooperation during the investigation and for "their voluntary implementation of comprehensive and system-wide improvements to protect individually identifiable health information."
The case involved exchanges of information between two entities in the Providence health system, Providence Home and Community Services and Providence Hospice and Home Care. On several occasions between September 2005 and March 2006, backup tapes, optical disks and laptops containing unencrypted electronic protected health information were removed from the Providence premises and left unattended, HHS officials said.