In December of 2005, four backup tapes and two optical disks containing electronic protected health information (PHI) were stolen from the car of an employee of Providence Health & Services, a Washington and Oregon-based non-profit health system. Also, on four separate occasions in 2005 and 2006, laptops containing PHI were left unattended and stolen from other Providence employees. The PHI was not encrypted, and the thefts compromised the health information of over 386,000 patients.
On July 15, 2008, U.S. Department of Health & Human Services (HHS) entered into a resolution agreement with Providence to settle claims arising out of Providence’s alleged violations of the Privacy Rule and Security Rule of the Health Insurance Portability and Accountability Act (HIPAA). As part of the resolution agreement, Providence agreed to pay HHS $100,000, and agreed to implement a detailed 3-year Corrective Action Plan.
Under the Plan, Providence must revise its policies and procedures regarding its physical off-site transport and encryption, and the revised procedures must be approved by HHS.
Among other things, Providence must also distribute its revised policies and procedures to all employees, including new employees, and it must train its employees on the procedures. Providence must also obtain a signed written or electronic compliance certification from each member of its workforce stating that the worker has read, understands and will abide by the revised policy.
Providence also agreed that its Chief Information Officer (CIO) will perform unannounced visits to worksites, and interview workers involved in the supervision, use, retention, or destruction of backup electronic media. Additionally, the CIO must inspect a random sample of portable devices that contain PHI to ensure that such devices satisfy all applicable requirements of the Corrective Action Plan. Documentation of the CIO’s findings must also be part of Providence’s Annual Report to HHS.
This is the first time HHS has required a health care entity to enter into a resolution agreement in regard to compromised patient information.