The Department of Health and Human Services (HHS) and Providence Health & Services have entered into a Resolution Agreement that includes a payment to HHS and corrective action plan for the Seattle-based health system to settle potential HIPAA privacy and security rule violations that occurred in 2005 and 2006, according to a July 17 HHS press release.
In addition to paying the $100,000 resolution amount to HSS, Providence has agreed to a “robust” corrective action plan to help ensure the future protection of its electronic PHI from theft or loss.
The Resolution Agreement comes after two entities within the Providence health system—Providence Home and Community Services and Providence Hospice and Home Care—were involved in several incidents in 2005 and 2006 dealing with the loss or theft of multiple items containing the unencrypted PHI of more than 386,000 patients. The items included laptop computers, optical disks, and electronic backup tapes, all of which HIPAA required Providence to safeguard because they contained patient information.
Take security seriously
“This really does show just how serious security enforcement is getting,” says William M. Miaoulis, CISA, CISM, manager of healthcare security services for Phoenix Health Systems in Dallas. “Although [Providence] agreed to pay a monetary sum, they’ve also agreed to implement a detailed corrective action plan. I think that’s the most important part,” he adds.
According to the press release, the corrective action plan requires the following:
- Revised policies and procedures for physical and technical safeguards relating to storage and transport of devices or media containing PHI, subject to the approval of HHS
- Work force training for staff members
- Mandatory audits and facility site visits
- Submission of compliance reports to HHS for three years
In addition to implementing a corrective action plan, Providence Health & Services is putting the protection of patient information at the top of its priority list, Eric Cowperthwaite, Providence’s chief information security officer, said in the press release. “Since these incidents occurred, we have reinforced our security protocols and implemented new data protection measures. Under the terms of the agreement, we will continue to implement appropriate policies, procedures, and training,” he said.
Be ready for future enforcement
This incident marks the first-ever HHS Resolution Agreement, though it may not be the last, says Winston Wilkinson, director of the Office for Civil Rights (OCR).
“We are committed to effective enforcement of health information privacy and security protections for consumers,” Wilkinson said in the press release. “Other covered entities that are not in compliance with the Privacy and Security Rules may face similar action.”
However, Providence will not face a civil money penalty because it cooperated with OCR and CMS during the investigation.
Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, says HHS needs to provide clarification on why it is not calling the resolution payment a civil penalty. Although HIPAA allows the OCR and CMS to pursue criminal penalties, levy civil penalties, and work with the organization through an informal correction action agreement or work plan. “Informal is defined as technical support, education, and so forth,” says Apgar. ”Nowhere does it say that informal has a price tag. So this is a stretch in some respects. There’s nothing in the enforcement rule that says they can impose a fine or make you pay money unless it is a civil penalty.”
“They’re very careful to say that they were so cooperative that there’s no monetary penalty. But what do they call it then, if it isn’t a penalty? Why is HHS reluctant to call this a penalty?” asks Kate Borten, CISSP, CISM, president of The Marblehead (MA) Group. “It’s a civil penalty for failure of compliance,” she adds. “But in the end, forget about the $100,000 and the fact that HHS is breathing down your neck for three years, the message is that you have to [take information security seriously].”
The financial penalty is attached to make a point, says John R. Christiansen, JD, managing director of Christiansen IT Law in Seattle. “Even if you cooperate in good faith and didn’t mean to do it, there are consequences,” he says. “You have to be serious about information protection in your healthcare organization, even if it is difficult.”
Ensure your policies and procedures are reaching your staff
Being serious includes ensuring that your policies and procedures are effectively reaching your entire work force. “This should be a wake-up call for all of us,” says Mary D. Brandt, MBA, RHIA, CHE, CHPS, president of Brandt & Associates, Inc., in Bellaire, TX. “Very few organizations have done a thorough risk analysis, and it’s easy to overlook functions like home health that may be separate from the hospital,” she adds.
Home health workers, in particular, are at high risk for HIPAA violations simply because these workers take PHI out of the organization every day to provide patient care, she adds. Brandt says hospitals should perform a proactive comprehensive risk analysis for ePHI so they don’t end up in Providence’s situation.
HHS’ investigation focused on Providence’s failure to enforce relevant policies and procedures. “The very fact that this happened underscores the difficulty of managing security in a big healthcare organization,” says Christiansen. “In a big healthcare organization, it is frequently the case where there is a lot of delegated authority . . . It is very hard to make sure you are getting accurate information out to all of the people who need it and to remind them of it.”
The intent of the Resolution Agreement may be to send a message to covered entities that they need to revisit the security rule requirements and implementation specifications, says John C. Parmigiani, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD. “Some of the things that were addressable need to be looked at again due to changing environments in terms of threats and your own capabilities, such as your use of remote access and removable media,” says Parmigiani.
In addition, healthcare providers should revisit the security rule guidance CMS released in December 2006. HHS has now laid the groundwork for enforcing the guidance even though it was not a part of the original security rule, according to Parmigiani.
Miaoulis notes that the Providence security incidents occurred in 2005 and 2006, and CMS issued the guidance on remote and mobile data by the end of 2006. “I’m not saying they are connected, but what I am saying is that people need to get their hands on that and read that,” he says.
Andrea Kraynak is the editor of Briefings on HIPAA, a monthly newsletter from HCPro, Inc. She may be reached at akraynak@hcpro.com.