The Department of Health and Human Services (HHS) and Providence Health & Services have entered into a Resolution Agreement that includes a payment to HHS and corrective action plan for the Seattle-based health system to settle potential HIPAA privacy and security rule violations that occurred in 2005 and 2006, according to a July 17 HHS press release.
In addition to paying the $100,000 resolution amount to HSS, Providence has agreed to a “robust” corrective action plan to help ensure the future protection of its electronic PHI from theft or loss.
The Resolution Agreement comes after two entities within the Providence health system—Providence Home and Community Services and Providence Hospice and Home Care—were involved in several incidents in 2005 and 2006 dealing with the loss or theft of multiple items containing the unencrypted PHI of more than 386,000 patients. The items included laptop computers, optical disks, and electronic backup tapes, all of which HIPAA required Providence to safeguard because they contained patient information.
Take security seriously
“This really does show just how serious security enforcement is getting,” says William M. Miaoulis, CISA, CISM, manager of healthcare security services for Phoenix Health Systems in Dallas. “Although [Providence] agreed to pay a monetary sum, they’ve also agreed to implement a detailed corrective action plan. I think that’s the most important part,” he adds.
According to the press release, the corrective action plan requires the following:
Revised policies and procedures for physical and technical safeguards relating to storage and transport of devices or media containing PHI, subject to the approval of HHS
Work force training for staff members
Mandatory audits and facility site visits
Submission of compliance reports to HHS for three years
In addition to implementing a corrective action plan, Providence Health & Services is putting the protection of patient information at the top of its priority list, Eric Cowperthwaite, Providence’s chief information security officer, said in the press release. “Since these incidents occurred, we have reinforced our security protocols and implemented new data protection measures. Under the terms of the agreement, we will continue to implement appropriate policies, procedures, and training,” he said.
Be ready for future enforcement
This incident marks the first-ever HHS Resolution Agreement, though it may not be the last, says Winston Wilkinson, director of the Office for Civil Rights (OCR).
“We are committed to effective enforcement of health information privacy and security protections for consumers,” Wilkinson said in the press release. “Other covered entities that are not in compliance with the Privacy and Security Rules may face similar action.”
However, Providence will not face a civil money penalty because it cooperated with OCR and CMS during the investigation.
Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, says HHS needs to provide clarification on why it is not calling the resolution payment a civil penalty. Although HIPAA allows the OCR and CMS to pursue criminal penalties, levy civil penalties, and work with the organization through an informal correction action agreement or work plan. “Informal is defined as technical support, education, and so forth,” says Apgar. ”Nowhere does it say that informal has a price tag. So this is a stretch in some respects. There’s nothing in the enforcement rule that says they can impose a fine or make you pay money unless it is a civil penalty.”
“They’re very careful to say that they were so cooperative that there’s no monetary penalty. But what do they call it then, if it isn’t a penalty? Why is HHS reluctant to call this a penalty?” asks Kate Borten, CISSP, CISM, president of The Marblehead (MA) Group. “It’s a civil penalty for failure of compliance,” she adds. “But in the end, forget about the $100,000 and the fact that HHS is breathing down your neck for three years, the message is that you have to [take information security seriously].”
The financial penalty is attached to make a point, says John R. Christiansen, JD, managing director of Christiansen IT Law in Seattle. “Even if you cooperate in good faith and didn’t mean to do it, there are consequences,” he says. “You have to be serious about information protection in your healthcare organization, even if it is difficult.”
Ensure your policies and procedures are reaching your staff
Being serious includes ensuring that your policies and procedures are effectively reaching your entire work force. “This should be a wake-up call for all of us,” says Mary D. Brandt, MBA, RHIA, CHE, CHPS, president of Brandt & Associates, Inc., in Bellaire, TX. “Very few organizations have done a thorough risk analysis, and it’s easy to overlook functions like home health that may be separate from the hospital,” she adds.
Home health workers, in particular, are at high risk for HIPAA violations simply because these workers take PHI out of the organization every day to provide patient care, she adds. Brandt says hospitals should perform a proactive comprehensive risk analysis for ePHI so they don’t end up in Providence’s situation.
HHS’ investigation focused on Providence’s failure to enforce relevant policies and procedures. “The very fact that this happened underscores the difficulty of managing security in a big healthcare organization,” says Christiansen. “In a big healthcare organization, it is frequently the case where there is a lot of delegated authority . . . It is very hard to make sure you are getting accurate information out to all of the people who need it and to remind them of it.”
The intent of the Resolution Agreement may be to send a message to covered entities that they need to revisit the security rule requirements and implementation specifications, says John C. Parmigiani, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD. “Some of the things that were addressable need to be looked at again due to changing environments in terms of threats and your own capabilities, such as your use of remote access and removable media,” says Parmigiani.
In addition, healthcare providers should revisit the security rule guidance CMS released in December 2006. HHS has now laid the groundwork for enforcing the guidance even though it was not a part of the original security rule, according to Parmigiani.
Miaoulis notes that the Providence security incidents occurred in 2005 and 2006, and CMS issued the guidance on remote and mobile data by the end of 2006. “I’m not saying they are connected, but what I am saying is that people need to get their hands on that and read that,” he says.
Seattle-based Providence Health & Services has agreed to pay a $100,000 fine and improve its patient information security to settle privacy complaints from 2005 and 2006. Federal officials say Providence failed to properly secure backup tapes, disks and laptops with electronic patient information several times during a seven-month period. The backup data and laptops were lost or stolen, and Providence has agreed to revise its policy on transporting patient records outside of company buildings and improve training of its employees.
The Collaborative Communications Summit has announced an exclusive summit on deal-making for investors focused on healthcare technology. The Health Technology Investment Forum will be held on September 30, 2008, in New York City. The Health Technology Investment Forum President Waco Hoover said in a statement: "the Forum will present a series of high growth potential investment opportunities and address key drivers in the health technology sector affecting M&A growth. We're very pleased to be working with major industry players, providing a unique and valuable platform that fosters deal-making and M&A activity."
Misuse of hospital technology leads to increased medication errors, according to a study by researchers at the University of Pennsylvania School of Medicine. The study revealed that both the technology design and its implementation—often relied upon as a “cure-all” for medication administration errors—is flawed and can increase the likelihood of some errors. In addition, researchers found that “the urgencies of care” and creative attempts to cope with the problems have caused other medication errors.
House Energy and Commerce Committee leaders hope to vote on legislation before the August recess that would create a national system of electronic medical records, according to Energy and Commerce ranking member Joe Barton. He said members working on changes to the bill "are making privacy a priority" even though the measure is chiefly a vehicle to speed the adoption of health information technology. Barton said his committee's bill will likely have "the strongest privacy protection of any bill that's gone through the House or Senate in the last five or 10 years."
Boston-based HealthHonors has launched its new behavior modification technology that aims to motivate patients to adhere to drug therapy and wellness initiatives by using a points-reward system. The program uses principles developed by behaviorist B.F. Skinner, including the use of intermittent reinforcement schedules, a linked behavior/reward sequence, and education to condition patients and allow them the opportunity to earn points as determined by a suite of complex behavioral algorithms.