HHS is trying a more rigid approach to handling healthcare organizations deemed too cavalier with private patient information.
The departments Office for Civil Rights and the CMS for the first time required a resolution agreement for potential violations of the Health Insurance Portability and Accountability Act last week, addressing a series of stumbles by Seattle-based Providence Health & Services. The system agreed to pay $100,000 and adhere to a three-year plan to prevent further breaches like four incidents in 2005 and 2006 in which tapes, disks and laptop computers storing unencrypted patient data were left unattended and lost or stolen.
Providence does not concede in the agreement that the incidents constituted violations of the privacy rules. The system has implemented most of the security protocols and data protection measures required by the agreement, Providence spokesman Thomas Johnson said.
As of June 30, HHS had investigated nearly 10,000 HIPAA privacy complaints, of which 6,648 led the department to demand changes to privacy practices without requiring an agreement like the one Providence has entered. It certainly is a means of solving a case that we will be using in the future in appropriate circumstances, said Susan McAndrew, deputy director for health information privacy in the Office for Civil Rights.
At least one privacy advocate is skeptical. Twila Brase, president of the Citizens Council on Health Care, said, It was such a huge case that they decided to write something up to show the public. Personally I think its more of a showpiece.
The breaches together compromised the protection of more than 386,000 patients. The vast majority of them were lost in a single incident in which backup tapes and disks with files on 365,000 patients of Providence Home & Community Services, an Oregon subsidiary of the 25-hospital system, were stolen from an information technology employees minivan.