- HIPAA Enforcement Evolves as HHS Requires First Resolution Agreement
- October 28, 2008 | Authors: Susan E. Ziel; Nicholas K. Lagina
- Law Firms: Krieg DeVault LLP - Carmel Office; Krieg DeVault LLP - Schererville Office
The Department of Health and Human Services ("HHS") recently announced an agreed settlement with Seattle-based Providence Health & Services ("PH&S") after investigations by the Office of Civil Rights ("OCR") and the Centers for Medicare & Medicaid Services ("CMS") exposed several potential HIPAA violations by two entities within the PH&S system. The Resolution Agreement described several "covered incidents" in which backup tapes, optical disks, and laptops containing unencrypted ePHI were stolen after PH&S staff left them unattended. The "covered incidents" occurred between September 2005 and March 2006, and compromised the protected health information of over 386,000 patients according to HHS. In the recent announcement, HHS noted PH&S's "cooperation with OCR and CMS allowed HHS to resolve this case without the need to impose a civil monetary penalty."
Under the terms of the Resolution Agreement, PH&S must pay a $100,000 fine, review and update the content of its policies and procedures regarding physical and technical safeguards of ePHI (subject to HHS's approval), and have its compliance monitored through unannounced visits, personnel interviews, and random inspection of portable devices containing ePHI. PH&S must also report any violation of its revised policies and procedures, and must also submit an "Implementation Report" detailing its implementation of the Resolution Agreement and a compliance report annually for three years. Significantly, HHS also reserved the right to impose civil monetary penalties for the failure to cure any breach within 30 days.
This required Resolution Agreement is a significant step in HIPAA enforcement. According to HHS, this occasion marks the first time HHS required such an agreement to resolve alleged Privacy and Security Rules violations. Typically, the OCR and CMS resolve potential violations by requiring entities to make systematic changes to their privacy and security practices.