FREE Health Data Management Site Registration

Sign up today and access the leading source of Health Care I.T. information on the Web.
Your FREE site registration entitles you to:

Free Health Data Management e-newsletter
 
Search more than 12,000 articles
 
Access Web Seminars on a host of I.T. topics
 
White Papers and Industry Research that provide valuable insights on a variety of technologies and implementation issues
 
Podcasts, updates on industry events, and much more!

 
   

Providence, HHS Agree on Privacy Plan


July 18, 2008

Seattle-based Providence Health & Services has agreed to pay a $100,000 “resolution” fine to the Department of Health and Human Services. In addition, Providence will implement a corrective plan to increase protection of patient data.

The fine, resulting from five incidents between September 2005 and March 2006 that compromised the protected health information of 386,000 patients, is not a civil fine, according to HHS. Providence’s cooperation with HHS’ Office for Civil Rights and the Centers for Medicare and Medicaid Services, “allowed HHS to resolve this case without the need to impose a civil money penalty,” according to a HHS statement.

During the incidents in 2005 and 2006, unencrypted backup tapes, optical disks and laptops belonging to Providence home and hospice care agencies were lost or stolen. In late December 2005, for instance, home health disks and tapes containing Social Security numbers and clinical and demographic data were stolen from the car of an employee. The theft was reported on Dec. 31, but Providence did not notify patients until Jan. 25, 2006.

On Jan. 25, Providence officials said they believed the thief would need specialized skills to access data on the disks and tapes. But a week later, the delivery system acknowledged that patients received suspicious telephone calls from purported Providence employees asking for Social Security numbers, bank account numbers and other personal information to verify the stolen data. Providence then offered affected patients free credit and monitoring services, fired one employee and accepted the resignations of three others. It also implemented a policy to encrypt backup data.

The corrective plan requires Providence to:

* Revise policies regarding physical and technical safeguards for off-site transport and storage of electronic medical containing patient information;

* Train employees on the safeguards;

* Conduct audits and site visits of facilities; and

* Submit compliance reports to HHS for three years.

The corrective plan is available at hhs.gov/ocr/privacy/enforcement/agreement.pdf.

Business Intelligence Archive
Data Security Archive
Policies/Regulation Archive
Hospitals Archive
Group Practices Archive

I.T. Spotlights