Dept of HHS issues penalty for not securing and protecting patient data

-- The Department of Health and Human Services is critically reviewing HIPAA related complaints and issuing monetary penalties. In the attached article, Providence Health & Services will pay thousands of dollars as a penalty for not securing and protecting patient data.

COMPLIANCE COUNSELOR

HIPAA privacy regulations get some teeth: Be prepared

09.17.2008

Watch out folks, it's finally happened. The U.S. Department of Health and Human Services (HHS) has levied the first penalties against a healthcare agency. Providence Health & Services, based in Seattle, has agreed to a six-figure settlement following HIPAA security and privacy violations related to the loss of 386,000 patients' personal health information. Before mid-July, settlements had previously been resolved by demanding organizations to resolve their privacy and security problems. It's no longer sufficient, however, to tell the auditors, "we'll resolve that problem."

The HHS settlement agreement states that disks containing individuals' HIPAA-protected health records were taken from employees' cars on at least five occasions in 2005 and 2006. The agreement also mandates that Providence Health and Services use encryption and other data protection policies to prevent the opening of authorized files. Providence must also train employees on security processes and issue compliance reports to HHS for three years.

This news should eliminate the false perception among healthcare organizations that HIPAA compliance is optional. Now that fines and monetary penalties are on the table, it's time for enterprises to shore up their HIPAA compliance programs, and that means being prepared for that next audit.