HIPAA privacy and security violations cost Seattle company $100,000

The Health and Human Services Department has settled complaints over breaches of health information privacy and security rules by a Seattle home health care company.

Health records of more than 386,000 patients were compromised, according to an HHS news release. Under the first-of-its-kind agreement, Providence Health & Services of Seattle has paid $100,000 and promised to take steps to ensure further breaches do not happen.

The agreement labels the $100,000 payment a “resolution amount.” “Providence’s cooperation with [HHS offices] allowed HHS to resolve this case without the need to impose a civil monetary penalty,” the news release states.

The agreement may signal that HHS is taking a tougher stance toward violations. Winston Wilkinson, director of the HHS Office of Civil Rights, said in a statement, “We are committed to effective enforcement of health information privacy and security protections for consumers. Other covered entities that are not in compliance with the privacy and security rules may face similar action.”

The agreement states that laptops, disks and tapes containing individuals’ health records protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) were taken from cars parked by Providence employees on five occasions in 2005 and 2006.

Providence followed state law and notified the patients, who filed more than 30 complaints with HHS. Providence also notified HHS and subsequently cooperated with HHS’ investigation, the release says.

The agreement calls for Providence to adopt strong policies and procedures for protection of information, use encryption and other techniques to prevent unauthorized persons from obtaining and opening files, train employees in security procedures, audit compliance of its managers and employees and submit reports to HHS for three years.

The investigation was carried out by the Office of Civil Rights, which enforces the HIPAA privacy rules, and the Centers for Medicare and Medicaid Services, which enforces the HIPAA security rules.

The offices have received more than 6,700 reports of breaches under HIPAA, and neither has imposed a fine or other such penalty on violators. Instead, the department has taken the position that requiring violators to change their practices is the best way to achieve compliance.

But the stance has drawn criticism from privacy advocates, who argue that some violations warrant fines as provided in HIPAA. One advocate, Deven McGraw, who heads the Health Privacy Project at the Center for Democracy and Technology in Washington, commented today that “we still have a long way to go [to achieve strong enforcement of the HIPAA rules], but perhaps the door has been opened a bit.”

“It looks like an appropriate penalty,” McGraw added, but she said she wonders “what is the reticence with calling it a civil monetary penalty.”

“The protection of patient information is a top priority for Providence Health & Services,” said Providence’s chief information security officer, Eric Cowperthwaite. “Since these incidents occurred, we have reinforced our security protocols and implemented new data protection measures. Under the terms of the agreement, we will continue to implement appropriate policies, procedures and training.”

Featured

  • People
    Dr. Ronny Jackson briefs the press on President Trump

    Uncertainty at VA after nominee withdraws

    With White House physician Adm. Ronny Jackson's withdrawal, VA watchers are wondering what's next for the agency and its planned $16 billion health IT modernization project.

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.