HHS Imposes Corrective Action Plan and First Fines under HIPAA Privacy and Security Rules

The Health Insurance Portability & Accountability Act of 1996 (“HIPAA”) is not a new law.  However, recent enforcement activity by the Department of Health and Human Services (“HHS”) indicates the agency’s willingness to apply this well-known law in new ways. 

HIPAA, among other things, requires those covered entities that collect protected health information to protect and safeguard such information against loss and theft. Violations of HIPAA are policed and enforced by HHS.  Earlier this month, HHS reached a settlement regarding alleged HIPAA violations (“Resolution Agreement”) with Providence Health & Services, a health services company located in the western United States.  The HHS enforcement action against Providence stems from a security breach at two Providence entities. 

Between September 2005 and March 2006, electronic media such as backup tapes and laptops that contained unencrypted electronic protected health information were removed from Providence and left unattended.  These items were eventually lost or stolen and the health information of over 386,000 patients was compromised.  HHS received more than 30 complaints after Providence alerted patients pursuant to state security breach laws.  In the wake of this security breach, HHS initiated an investigation of Providence’s failure to implement policies and procedures to safeguard electronic protected health information. 

Of the more than 6,700 reports of breaches under HIPAA received by the federal regulators, this is the first instance of HHS imposing a fine on violators.  The settlement, although the first of its kind for HHS, is similar in many respects to agreements reached by the Federal Trade Commission with entities experiencing other kinds of data breaches.  The Resolution Agreement requires Providence to pay a $100,000 penalty and implement a detailed Corrective Action Plan (“CAP”).  Essentially, the CAP is a three-year probation plan requiring Providence to implement policies and procedures to protect information, including policies and procedures related to off-site transport and storage of electronic media.  The CAP also requires Providence to provide implementation and annual reports to HHS on its data safeguarding procedures and policies.  The CAP further requires Providence to provide records to HHS upon request, notify HHS of any future security breach, and calls for a civil penalty to be imposed for future breaches should Providence not respond to a breach in a satisfactory manner.

This development is a warning shot to other covered entities, including most employers who sponsor their employees’ health plans.  HHS’s director of its Office of Civil Rights emphasized that the agency is “committed to effective enforcement of health information privacy and security protections for consumers.  Other covered entities that are not in compliance with the privacy and security rules may face similar action.”  All businesses must remember that personal information should be maintained securely and protected from loss or theft and that data breaches can be costly.  HIPAA covered entities that do not have adequate protection policies in place when a breach occurs could find themselves tangled up with the HHS for several years and paying a high cost for their failures – in fines and legal fees.