The Privacy and Security Rules are enforced by HHS’ Office for Civil Rights (OCR) and the Centers for Medicare & Medicaid Services (CMS). The Privacy and Security Rules require health plans, healthcare clearinghouses and most healthcare providers to safeguard the privacy of certain individually identifiable health information and meet additional security standards for patient information maintained in electronic form.
While OCR and CMS have resolved more than 6,700 Privacy and Security Rule cases by requiring the entities to make systemic changes to their health information privacy and security practices, the HHS said this is the first time it has required a resolution agreement from a covered entity.
The agnecy said that Providence’s cooperation with OCR and CMS allowed it to resolve the case without the need to impose a civil money penalty.
On several occasions between September 2005 and March 2006, the HHS said that backup tapes, optical disks, and laptops, all containing unencrypted electronic protected health information, were removed from the Providence premises or were left unattended. The media and laptops were subsequently lost or stolen, compromising the protected health information of nearly 400,000 patients.
HHS said it received more than 30 complaints about the stolen tapes and disks, submitted after Providence, pursuant to state notification laws, informed patients of the theft. Providence also reported the stolen media to HHS.
OCR and CMS focused their investigations on Providence’s failure to implement policies and procedures to safeguard this information.
Under the agreement, Providence paid $100,000 resolution amount to HHS and agreed to implement a corrective action plan that requires: revising its policies and procedures regarding physical and technical safeguards governing off-site transport and storage of electronic media containing patient information, subject to HHS approval; training workforce members on the safeguards; conducting audits and site visits of facilities; and submitting compliance reports to HHS for a period of three years.