Suggested Content
- HHS cracks down: provider to pay $100,000 in HIPAA penalties over lost laptops
- AHA blasted for 'Hail Mary pass' on meaningful use
- Phoenix practice to pay $100,000 to settle HIPAA case
- Tennessee Blues to pay $1.5M as result of data breach
- Inspector General review highlights IT challenges for HHS
- HHS names 32 Pioneer ACOs
- OIG calls for federal crackdown on portable x-ray suppliers
- 32 Pioneer ACOs named by HHS
- HHS releases proposed ACO regulations
- Feds use IT to crack down on Medicare/Medicaid billing errors
WASHINGTON – The Department of Health and Human Services has levied a $100,000 fine on Seattle-based Providence Health and Services for alleged violations of the Health Insurance Portability and Accountability Act of 1996 Privacy and Security Rules.
The violation, involving unprotected backup tapes, optical disks and laptops three years ago, compromised the protected health information of more than 386,000 patients, HHS officials said.
In addition to the fine – one of the heftiest levied by HHS thus far for a HIPAA violation – Providence will be required to follow a detailed corrective action plan for adequately safeguarding identifiable electronic patient information. HHS officials said the agreement is the first of its kind.
Winston Wilkinson, the director of the HHS’ Office of Civil Rights (OCR), said other providers should take notice. The enforcement agency “is committed to effective enforcement of health information privacy and security protections for consumers,” he said.
HIPAA requires covered entities under Medicare, including health plans, healthcare clearinghouses and most healthcare providers, to safeguard certain individually identifiable health information and to meet additional security standards for electronic patient information. The charge against Providence involved a security breach of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006.
The OCR and the Centers for Medicare & Medicaid Services report they have successfully resolved more than 6,700 HIPAA Privacy and Security Rule cases, each requiring the entities to make systemic changes to health information privacy and security practices. Providence’s cooperation with the OCR and CMS allowed HHS officials to resolve the case without the need to impose a civil penalty (the $100,000 fine was called a “resolution amount” by HHS officials).
Wilkinson said the agency commends Providence for its cooperation during the investigation and for “their voluntary implementation of comprehensive and system-wide improvements to protect individually identifiable health information.”
