Providence Health and Services (Seattle) will pay a fine of $100,000 to settle potential HIPAA violations and is implementing a corrective action plan to more effectively protect electronic patient information, as a result of a resolution agreement it established with the U.S. Department of Health and Human Services (HHS (Washington, D.C.)
The agreement relates to Providence’s loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006; the incidents were in violation of the Privacy and Security Rules, according to the organization.
Revise its policies and procedures regarding physical and technical safeguards (e.g., encryption) governing off-site transport and storage of electronic media containing patient information, subject to HHS approval;
Train workforce members on the safeguards; and
Conduct audits and site visits of facilities; and submitting compliance reports to HHS for a period of three years.
The Resolution Agreement and Corrective Action Plan can be found on the OCR Web site at http://www.hhs.gov/ocr/privacy/enforcement/.
Providence is a not-for-profit health system providing services to patient communities across five states, including Alaska, Washington, Montana, Oregon and California. The system includes 26 hospitals, more than 35 non-acute facilities, physician clinics, a health plan, and educational facilities.