Health System to Pay $100K to Seattle HIPAA-Related Allegations

Publicado en: 8/08/2008.  Fuente:

Seattle-based Providence Health & Services has agreed to pay $100,000 as part of an agreement to resolve allegations that it violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

Providence entered a Resolution Agreement with the U.S. Department of Health & Human Services (HHS). In the agreement, Providence agrees to pay $100,000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss.

With respect to the HIPAA Privacy and Security Rules, this is the first time HHS has required a Resolution Agreement from a covered entity. HHS says that Providence ‘s cooperation allowed the agency to resolve this case without the need to impose a civil money penalty.

The agency says the agreement relates to Providence’s loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006.

The agency alleges that on several occasions between September 2005 and March 2006, backup tapes, optical disks, and laptops, all containing unencrypted electronic protected health information, were removed from the Providence premises and were left unattended. The media and laptops were subsequently lost or stolen, compromising the protected health information of over 386,000 patients, says the agency.

HHS received over 30 complaints about the stolen tapes and disks, submitted after Providence , pursuant to state notification laws, alerted patients to the theft. Providence also reported the stolen media to HHS.