The Department of Health and Human Services (“HHS”) has entered into its first Resolution Agreement and corrective action plan (“CAP”) under the Security Rule of the Health Insurance Portability and Accountability Act (“HIPAA”). The CAP was signed in July 2008 by HHS and Providence Health & Services (the “Covered Entity”) to settle what HHS described as “potential violations” of HIPAA’s requirements for safeguarding electronic patient data. HHS concerns about such potential violations stemmed from the loss or theft of laptops, optical discs and backup tapes containing the unencrypted medical records of more than 386,000 patients of the Covered Entity. The data loss and/or theft at the Covered Entity was the focus of much media scrutiny, particularly in the Seattle area where many of the patients are located. This CAP is notable as the first Resolution Agreement required by HHS of a covered entity under the HIPAA Privacy and Security Rules.
Data Security Requirements Imposed
Under the terms of the settlement, the Covered Entity agreed to pay $100,000 to settle the alleged violations claimed by HHS. It has also agreed to make a number of changes regarding its information security. Specifically, it has agreed to revamp its security policies to include physical protections for portable devices and for the off-site transport and storage of backup media. The Covered Entity also agreed to implement technical safeguards, such as encryption and password protection. The CAP also requires the company’s chief information security officer to personally validate that all required policies have been put in place and that all employees have been properly trained. In addition, the company must conduct random compliance audits and submit compliance reports to HHS for the next three years, including self-reporting of any violations. Under the Resolution Agreement, there is also a tolling of the statute of limitations on civil monetary penalties to allow for HHS to bring such claims if necessary. Significantly, under the terms of the agreement, the Covered Entity will be unable to contest any of the terms of the CAP in the future.
This CAP is notable not only because it is the first of its kind but also because it is very stringent in terms of the obligations imposed upon the covered entity. In the past, HHS has been accused of being lax in enforcing HIPAA. However, this CAP signals that HHS may be cracking down on HIPAA violators and getting tough on enforcement. Other recent developments also support this possible trend. For instance, in January, the Centers for Medicare & Medicaid Services (“CMS”), the unit responsible for administering the HIPAA security rule, announced that it had hired PricewaterhouseCoopers to conduct audits on its behalf. At the time, the unit said it planned to do 10 to 20 audits this year at organizations that had been the target of complaints about their data security practices. In addition, last year, HHS disclosed that it conducted a compliance audit on Piedmont Hospital in Atlanta.
Over the years HIPAA has been in force, there has been scant enforcement activity; this case is a startling example of the potential consequences of HIPAA violations. The terms of the CAP are both detailed and strict, and the prohibition on contesting the terms of the CAP means that the Covered Entity will be locked into these requirements for the duration. Given this CAP and the audit activity of HHS, all HIPAA covered entities should conduct an internal compliance review to ensure that they are taking all appropriate measures to comply with HIPAA. Likewise, service providers who are business associates of covered entities should also evaluate their own policies and procedures, as well as their compliance with the terms of business associate agreements they have with covered entities. With concern about this CAP circulating in the healthcare community, it would not be surprising if more covered entities increase audits of the activities of their business associates.