HHS slaps Providence Health with $100,000 fine

By Diana Manos
12:00 AM

WASHINGTON – The Department of Health and Human Services has levied a $100,000 fine on Seattle-based Providence Health and Services for alleged violations of the Health Insurance Portability and Accountability Act of 1996 Privacy and Security Rules.

The violation, involving unprotected backup tapes, optical disks and laptops three years ago, compromised the protected health information of more than 386,000 patients, HHS officials said.

In addition to the fine – one of the heftiest levied by HHS thus far for a HIPAA violation – Providence will be required to follow a detailed corrective action plan for adequately safeguarding identifiable electronic patient information. HHS officials said the agreement is the first of its kind.

Winston Wilkinson, the director of the HHS’ Office of Civil Rights (OCR), said other providers should take notice. The enforcement agency “is committed to effective enforcement of health information privacy and security protections for consumers,” he said.

HIPAA requires covered entities under Medicare, including health plans, healthcare clearinghouses and most healthcare providers, to safeguard certain individually identifiable health information and to meet additional security standards for electronic patient information. The charge against Providence involved a security breach of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006.

The OCR and the Centers for Medicare & Medicaid Services report they have successfully resolved more than 6,700 HIPAA Privacy and Security Rule cases, each requiring the entities to make systemic changes to health information privacy and security practices. Providence’s cooperation with the OCR and CMS allowed HHS officials to resolve the case without the need to impose a civil penalty (the $100,000 fine was called a “resolution amount” by HHS officials).

Wilkinson said the agency commends Providence for its cooperation during the investigation and for “their voluntary implementation of comprehensive and system-wide improvements to protect individually identifiable health information.”

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.