Feds finally put teeth into HIPAA enforcement

Computerworld - A data security audit that the U.S. Department of Health and Human Services conducted at Piedmont Hospital in Atlanta last year was widely viewed within the health care industry as a harbinger of further actions by the federal government to enforce HIPAA's security and privacy rules.

Eighteen months after HHS quietly began the Piedmont audit, there hasn't been much evidence of stepped-up enforcement. But now a stringent "resolution agreement" signed in July by the agency and Seattle-based Providence Health & Services is generating the same kind of buzz among health care providers that the Piedmont audit did.

On July 15, Providence agreed to adopt a so-called corrective action plan (CAP) and pay $100,000 to settle what HHS described as "potential violations" of the Health Insurance Portability and Accountability Act's requirements for safeguarding electronic patient data.

The resolution agreement — the first of its kind under HIPAA — stemmed from the loss or theft of laptops, optical discs and backup tapes containing the unencrypted medical records of more than 386,000 Providence patients. On several occasions in 2005 and 2006, equipment was reported missing after workers took it out of the office with them.

Under the CAP (download PDF), Providence has to revamp its security policies to include physical protections for portable devices and for the off-site transport and storage of backup media. It also is required to implement technical safeguards, such as encryption and password protection. And the not-for-profit health system, which has operations in five western states, must conduct random compliance audits and submit compliance reports to HHS for the next three years.

In addition, the agreement calls for Providence's chief information security officer to personally validate that all required policies have been put in place and that all employees have been trained on adhering to them. The CISO also has to attest that all backup media and portable devices containing health information protected by HIPAA are properly secured.

Significantly, the CAP precludes Providence Health from contesting the validity of or appealing any of its obligations under the agreement. The settlement is getting considerable attention within the health care industry because of the tough terms and conditions that the deal imposed on the provider.

"The CAP gives us some indication that the bar is being raised when it comes to HIPAA compliance," said Lisa Gallagher, director of privacy and security at the Healthcare Information and Management Systems Society (HIMSS) in Chicago. "This is a fairly serious corrective action plan."

Gallagher added that the deal with Providence sends a clear message to other health care providers that HHS is finally cracking down on HIPAA violators, after having been accused of lax enforcement in the past.

The harder line is in keeping with an announcement in January that the Centers for Medicare & Medicaid Services (CMS), the HHS unit responsible for administering the HIPAA security rules, had hired PricewaterhouseCoopers to conduct audits on its behalf. At the time, the CMS said it planned to do 10 to 20 audits this year at organizations that had been the target of complaints about their data security practices.

According to Gallagher, the CMS is expected to release findings from those audits early next year. It also plans to highlight violation trends and provide guidance on the biggest problems that health care providers are having in implementing the controls required by HIPAA. "As far as I know, they are under way with these audits," she said.