Thursday, February 26, 2009
Providence to Pay First HIPAA Fine of $100,000
Providence to Pay First HIPAA Fine of $100,000
Date Posted: July 18, 2008
Providence Health & Services agreed to pay $100,000 to resolve HIPAA privacy and security allegations, in the first such monetary settlement since the privacy rules took effect in 2003. The U.S. Department of Health and Human Services (HHS) had received more than 30 privacy and security complaints against Providence for its widely publicized losses of laptops and other sensitive items in 2005 and 2006.
Providence, an integrated health system based in Seattle, also will implement a detailed corrective action plan to settle a joint enforcement action by HHS’ Office for Civil Rights (OCR) and Centers for Medicare and Medicaid Services (CMS). Providence did not admit liability in the settlement, which obviated the need for HHS to undergo HIPAA’s official process for imposing civil monetary penalties.
The HHS investigation stemmed from five incidents, the main one being a December 2005 theft from a Providence employee’s car of backup tapes and disks containing unencrypted health information on about 365,000 home health care patients. Providence already had agreed to provide free credit monitoring and step up security measures in a September 2006 settlement with the state of Oregon.
“We are committed to effective enforcement of health information privacy and security protections for consumers,” OCR Director Winston Wilkinson said in a statement. “Other covered entities that are not in compliance with the privacy and security rules may face similar action.”
“Effective compliance means more than just having written policies and procedures,” added CMS Acting Administrator Kerry Weems. “Covered entities need to continuously monitor the details of their execution, and ensure that these efforts include effective privacy and security staffing, employee training and physical and technical features.”
“The protection of patient information is a top priority for Providence Health & Services,” said Eric Cowperthwaite, Providence’s chief information security officer, in the HHS statement. “Since these incidents occurred, we have reinforced our security protocols and implemented new data protection measures,” he said. “Under the terms of the agreement, we will continue to implement appropriate policies, procedures and training.”
HIPAA’s privacy and security rules and their enforcement are detailed in the Employer’s Guide to HIPAA Privacy Requirements.
Date Posted: July 18, 2008
Providence Health & Services agreed to pay $100,000 to resolve HIPAA privacy and security allegations, in the first such monetary settlement since the privacy rules took effect in 2003. The U.S. Department of Health and Human Services (HHS) had received more than 30 privacy and security complaints against Providence for its widely publicized losses of laptops and other sensitive items in 2005 and 2006.
Providence, an integrated health system based in Seattle, also will implement a detailed corrective action plan to settle a joint enforcement action by HHS’ Office for Civil Rights (OCR) and Centers for Medicare and Medicaid Services (CMS). Providence did not admit liability in the settlement, which obviated the need for HHS to undergo HIPAA’s official process for imposing civil monetary penalties.
The HHS investigation stemmed from five incidents, the main one being a December 2005 theft from a Providence employee’s car of backup tapes and disks containing unencrypted health information on about 365,000 home health care patients. Providence already had agreed to provide free credit monitoring and step up security measures in a September 2006 settlement with the state of Oregon.
“We are committed to effective enforcement of health information privacy and security protections for consumers,” OCR Director Winston Wilkinson said in a statement. “Other covered entities that are not in compliance with the privacy and security rules may face similar action.”
“Effective compliance means more than just having written policies and procedures,” added CMS Acting Administrator Kerry Weems. “Covered entities need to continuously monitor the details of their execution, and ensure that these efforts include effective privacy and security staffing, employee training and physical and technical features.”
“The protection of patient information is a top priority for Providence Health & Services,” said Eric Cowperthwaite, Providence’s chief information security officer, in the HHS statement. “Since these incidents occurred, we have reinforced our security protocols and implemented new data protection measures,” he said. “Under the terms of the agreement, we will continue to implement appropriate policies, procedures and training.”
HIPAA’s privacy and security rules and their enforcement are detailed in the Employer’s Guide to HIPAA Privacy Requirements.
Labels: Providence Health and Services
# posted by raveneye @ 8:27 AM 
