Those of you who have heard us talk about HIPAA enforcement have always heard us say that the Department of Health & Human Services (HHS) has never issued a fine against anyone for violating HIPAA--along with the cautionary admonition that you don't want to become the first "poster child" for HIPAA noncompliance. Well, late last week, HHS announced that it had entered into a resolution agreement with Providence Health & Services, a health system based in Seattle, Washington. As part of the resolution, Providence agreed to a corrective action plan and a $100,000 penalty.
This enforcement action stemmed from a number of incidents that happened between September 2005 and March 2006 involving lost or stolen back-up tapes, hard drives and laptop computers containing information about Providence's patients--none of which were encrypted. Providence allowed employees to take these items off its premises, but apparently did not adequately train the employees to safeguard these materials. The employees left the materials unattended, and the items were lost or stolen.
Had Providence only experienced one incident, we're sure that HHS would not have taken this kind of action. But instead of re-evaluating and making changes to its policies and procedures after the first incident, Providence allowed the same risky practices to continue for several more months, resulting in four incidents of lost equipment containing data on more than 386,000 patients. Not only did Providence agree to pay $100,000 in penalties, the settlement agreement allows HHS to take further enforcement action relating to these incidents if Providence fails to comply with the corrective action plan. For those of you interested, a copy of the settlement agreement and corrective action plan is available at the HHS Web site, here.
What can we learn from this? Here are some things to think about:
Risk assessments need to be updated periodically. Have you revisited yours within the last 12 months?
When a security incident has occurred, did you re-evaluate your security policies and procedures and take timely action to prevent such events from happening again?
Having policies and procedures in place is not enough. Do you audit your processes (electronic and human) to make sure that policies and procedures are being followed?
Employees must be trained on security and privacy practices regularly to make sure that they understand the importance of these practices. Do you review your policies and procedures with your employees at least once a year?
Also keep in mind that HHS has announced it will begin conducting compliance audits in 2008 and that complaints about HIPAA violations may trigger such an audit. If you're curious what such an audit might involve, CMS has posted a list of sample interview and document requests here. Would you be able to produce all these documents?
If you have questions about HIPAA compliance or need to train your workforce, Warner's HIPAA Task Force can help! Please contact Norbert Kugele at 616.752.2186, or at email@example.com.