HHS officials received more than 30 complaints about the stolen tapes and disks after Providence, pursuant to state notification laws, informed patients of the theft. Providence also reported the stolen media to HHS.

The OCR and CMS focused their investigations on Providence's failure to implement policies and procedures to safeguard the information.

Under the resolution agreement, Providence must revise its policies and procedures for encryption, off-site transport and storage of electronic media containing patient information. Subject to HHS approval, Providence must train workforce members on the safeguards, conduct audits and site visits of facilities and submit compliance reports to HHS for three years.

Eric Cowperthwaite, Providence's chief information security officer. said patient information protection is a top priority. "Since these incidents occurred, we have reinforced our security protocols and implemented new data protection measures," he said. "Under the terms of the agreement, we will continue to implement appropriate policies, procedures and training."

Kerry Weems, acting administrator of the CMS, said the resolution confirms that effective compliance means more than just having written policies and procedures.

"To protect the privacy and security of patient information, covered entities need to continuously monitor the details of their execution and ensure that these efforts include effective privacy and security staffing, employee training and physical and technical features," Weems said.

Do you agree with the resolution of this case? E-mail your comments to Senior Editor Diana Manos at diana.manos@medtechpublishing.com.