• E-mail
• Print
• RSS
• Buy It Now
• Reprints

Covered entity pays for a potential HIPAA violation

Briefings on HIPAA, September 1, 2008

This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Briefings on HIPAA.

HHS has thrown down the gauntlet; HIPAA violations may now come with a price. HHS and Seattle-based Providence Health & Services recently entered into a Resolution Agreement to settle potential HIPAA privacy and security rule violations that occurred in 2005 and 2006, according to a July 17 HHS press release. The agreement includes a payment to HHS and a corrective action plan for the health system. (To read the press release, visit www.hhs.gov/news/press/2008pres/07/20080717a.html.) The agreement requires Providence to pay HHS $100,000 and to implement a “robust” corrective action plan to help protect its electronic PHI from theft or loss in the future.

HHS included a financial penalty to make a point, says John R. Christiansen, JD, managing director at Christiansen IT Law in Seattle. “Even if you cooperate in good faith and didn’t mean to do it, there are consequences,” Christiansen says.

The Resolution Agreement stems from several incidents involving the loss or theft of multiple items containing the unencrypted PHI of more than 386,000 patients during 2005 and 2006. The incidents occurred at Providence Home and Community Services and Providence Hospice and Home Care. The items included laptop computers, optical disks, and electronic backup tapes, all of which required safeguards because they contained patient information.

This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Briefings on HIPAA.

• Comment
• E-mail to a Colleague
• Print
• RSS
• Archive
• Buy It Now
• Reprints / Permissions

Comments