HIPAA privacy and security violations cost Seattle company $100,000

The Health and Human Services Department has settled complaints over breaches of health information privacy and security rules by a Seattle home health care company.Health records of more than 386,000 patients were compromised, according to an HHS news release. Under the first-of-its-kind agreement, Providence Health & Services of Seattle has paid $100,000 and promised to take steps to ensure further breaches do not happen.The agreement labels the $100,000 payment a “resolution amount.” “Providence’s cooperation with [HHS offices] allowed HHS to resolve this case without the need to impose a civil monetary penalty,” the news release states.The agreement may signal that HHS is taking a tougher stance toward violations. Winston Wilkinson, director of the HHS Office of Civil Rights, said in a statement, “We are committed to effective enforcement of health information privacy and security protections for consumers. Other covered entities that are not in compliance with the privacy and security rules may face similar action.”The agreement states that laptops, disks and tapes containing individuals’ health records protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) were taken from cars parked by Providence employees on five occasions in 2005 and 2006.Providence followed state law and notified the patients, who filed more than 30 complaints with HHS. Providence also notified HHS and subsequently cooperated with HHS’ investigation, the release says.The agreement calls for Providence to adopt strong policies and procedures for protection of information, use encryption and other techniques to prevent unauthorized persons from obtaining and opening files, train employees in security procedures, audit compliance of its managers and employees and submit reports to HHS for three years.The investigation was carried out by the Office of Civil Rights, which enforces the HIPAA privacy rules, and the Centers for Medicare and Medicaid Services, which enforces the HIPAA security rules.The offices have received more than 6,700 reports of breaches under HIPAA, and neither has imposed a fine or other such penalty on violators. Instead, the department has taken the position that requiring violators to change their practices is the best way to achieve compliance.But the stance has drawn criticism from privacy advocates, who argue that some violations warrant fines as provided in HIPAA. One advocate, Deven McGraw, who heads the Health Privacy Project at the Center for Democracy and Technology in Washington, commented today that “we still have a long way to go [to achieve strong enforcement of the HIPAA rules], but perhaps the door has been opened a bit.”“It looks like an appropriate penalty,” McGraw added, but she said she wonders “what is the reticence with calling it a civil monetary penalty.”“The protection of patient information is a top priority for Providence Health & Services,” said Providence’s chief information security officer, Eric Cowperthwaite. “Since these incidents occurred, we have reinforced our security protocols and implemented new data protection measures. Under the terms of the agreement, we will continue to implement appropriate policies, procedures and training.”