Editor's Letter - Checking Up On HIPAA

Is the federal government finally sinking its teeth into violators of the Health Information Portability and Accountability Act (HIPAA)?

The U.S. Department of Health & Human Services (HHS) recently entered into a "Resolution Agreement" with Providence Health & Services, based in Seattle, addressing "potential violations" of HIPAA Privacy and Security Rules. The agreement relates to Providence’s 2005 and 2006 losses of electronic backup media and laptops containing identifiable health information for more than 386,000 patients.

A Resolution Agreement is a contract signed by HHS and an organization that may be in violation of HIPAA, in which the organization in question agrees to certain obligations, such as staff training. Under the terms of such an agreement, the organization must report to HHS for a three-year period, typically.

This is the first such agreement that HHS has entered into concerning HIPAA Privacy and Security Rules. According to a press release from HHS, Providence’s cooperation with the Centers for Medicare & Medicaid Services (CMS), the unit of the HHS responsible for administering HIPAA security rules, and its Office for Civil Rights allowed the agency to resolve the case without imposing a civil monetary penalty.

Under the agreement, Providence has agreed to pay $100,000 to HHS and to implement a detailed "Corrective Action Plan" (CAP) to safeguard electronic patient information. The CAP calls for Providence to revise its policies and procedures regarding physical and technical safeguards governing off-site transport and storage of electronic media containing patient information; train employees on these new safeguards; conduct audits and site visits of facilities; and submit compliance reports to HHS for three years.

Also, in January CMS hired PricewaterhouseCoopers to perform 10 to 20 audits during the year at organizations whose data security practices were targeted in complaints.

These audits could be in response to the threat of an HHS Inspector General’s office review as to how CMS handles HIPAA security enforcement.

Enforcement of HIPAA’s Privacy and Security Rules began in 2003. However, data from HHS shows that 69 percent, or 4,977 cases, were resolved after intake and review; no violations were found in 10 percent, or 715, of the cases; and 21 percent, or 1,484, of the cases resulted in corrective action in 2007, though the nature of that action is not specified.

For those people who have been critical of HIPAA enforcement, the Resolution Agreement and its CAP, as well as the audits in progress, are surely welcome news that could signal stronger enforcement to come and new opportunities for information management professionals who serve the health care industry.