HHS fines health system for breach of privacy

On July 15, 2008, the Department of Health and Human Services (HHS) entered into an agreement with Seattle-based Providence Health & Services to settle potential violations of HIPAA privacy rules.

Under the agreement — the first time HHS has levied a fine for a data breach — Providence agrees to pay $100,000 and implement a detailed corrective action plan (CAP) to ensure that it will safeguard identifiable electronic patient information against theft or loss. Providence's data breach resulted from electronic record backups and laptop computers being left unattended, eventually leading to their loss or theft.

HHS says the breaches occurred when the backups and laptops were removed from Providence premises (in Oregon and Washington) and left unsecured; some thefts occurred when the items were left in Providence employees' cars.

While HIPAA does not specifically address transportation of personal health information via laptop (or car), the rule does require covered entities to safeguard portable media or devices, including paper charts being moved between offices.

Under the resolution agreement — also the first HHS has required from a covered entity — Providence agrees to take remediation steps, including:

  • Revising its policies and procedures regarding physical and technical safeguards (e.g., encryption);
  • Governing off-site transport and storage of electronic media containing patient information, subject to HHS approval;
  • Training workforce members on the safeguards;
  • Conducting audits and site visits of facilities.

According to HHS, it has received more than 30 complaints related to the loss or theft of patient information from Providence's data systems. The resolution agreement alleges that protected information of more than 386,000 patients was exposed by the breach.

(To read HHS guidance on HIPAA's security rule pertaining to electronic devices, go to www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf.)