Watch out folks, it’s finally happened. The U.S. Department of Health and Human Services (HHS) has levied the first penalties against a healthcare agency. Providence Health & Services, based in Seattle, has agreed to a six-figure settlement following HIPAA security and privacy violations related to the loss of 386,000 patients’ personal health information. Before mid-July, settlements had previously been resolved by demanding organizations to resolve their privacy and security problems. It’s no longer sufficient, however, to tell the auditors, “we’ll resolve that problem.”
The HHS settlement agreement states that disks containing individuals’ HIPAA-protected health records were taken from employees’ cars on at least five occasions in 2005 and 2006. The agreement also mandates that Providence Health and Services use encryption and other data protection policies to prevent the opening of authorized files. Providence must also train employees on security processes and issue compliance reports to HHS for three years.