The case involved exchanges of information between two entities in the Providence health system, Providence Home and Community Services and Providence Hospice and Home Care. On several occasions between September 2005 and March 2006, backup tapes, optical disks and laptops containing unencrypted electronic protected health information were removed from the Providence premises and left unattended, HHS officials said.

HHS officials received more than 30 complaints about the stolen tapes and disks after Providence, pursuant to state notification laws, informed patients of the theft. Providence also reported the stolen media to HHS.

The OCR and CMS focused their investigations on Providence’s failure to implement policies and procedures to safeguard the information.

Under the resolution agreement, Providence must revise its policies and procedures for encryption, off-site transport and storage of electronic media containing patient information. Subject to HHS approval, Providence must train workforce members on the safeguards, conduct audits and site visits of facilities and submit compliance reports to HHS for three years.

Eric Cowperthwaite, Providence’s chief information security officer, said patient information protection is a top priority. “Since these incidents occurred, we have reinforced our security protocols and implemented new data protection measures,” he said. “Under the terms of the agreement, we will continue to implement appropriate policies, procedures and training.”

Kerry Weems, acting administrator of CMS, said the resolution confirms that effective compliance means more than just having written policies and procedures.

“To protect the privacy and security of patient information, covered entities need to continuously monitor the details of their execution and ensure that these efforts include effective privacy and security staffing, employee training and physical and technical features,” Weems said.