$100,000 HIPAA Enforcement
Several years after the HIPAA privacy and security standards
became effective, the U.S. Department of Health and Human Services
("HHS") has stepped up its enforcement activities,
recently fining a healthcare system $100,000 for HIPAA violations.
On July 15, 2008, HHS entered into a Resolution Agreement with
Providence Health & Services, Providence Health System-Oregon
and Providence Hospice and Home Care, all related non-profits based
in Washington and Oregon states (collectively,
"Providence"). The agreement resulted from an HHS
investigation of five incidents in late 2005 and early 2006 in
which Providence staff members, in violation of applicable security
policies, had taken off premises laptops, tapes and disks that
contained electronic protected health information
("ePHI"). The media and laptops were subsequently lost or
stolen. There was no indication in the documents that the ePHI at
issue was improperly used by the persons who stole the laptops,
tapes and disks, or any other party, or whether the ePHI was ever
recovered.
Under the Corrective Action Plan appended to its Resolution
Agreement, Providence is subject to tough terms that include
revised policies and procedures, re-training for all workers and
increased self-auditing. In addition, the agreement imposed outside
monitoring and regular reporting requirements. If HHS is not
satisfied with Providence's intensified compliance activities,
Providence is potentially subject to fines in addition to the
original $100,000.
This is not HHS's first HIPAA enforcement action but is its
most significant to date. Since HIPAA's implementation, the
Office for Civil Rights at HHS, which handles HIPAA complaints, has
received over 30,000 complaints that have led to more than 5,000
corrective actions and more than 400 referrals to the U.S.
Department of Justice for possible criminal violations. In general,
however, HHS' philosophy of enforcement has been to emphasize
compliance rather than punishment, working with the provider to
develop better systems and procedures. But with the imposition of
this substantial monetary penalty, HHS has given real teeth to
HIPAA enforcement and indicated an intention to become more
punitive, presumably on the theory that providers have had
sufficient time to bring their operations into compliance.
Hospitals and other organizations subject to HIPAA should consider
assessing their own compliance in light of this development.
For more information regarding this...
To continue reading
Request your trial