Three years after the federal laws rules on securing health care data took effect, HHS has issued its first corrective action plan. And more may be on the way.
A data security audit that the U.S. Department of Health and Human Services conducted at Piedmont Hospital in Atlanta last year was widely viewed within the health care industry as a harbinger of further actions by the federal government to enforce HIPAA’s security and privacy rules.
Eighteen months after HHS quietly began the Piedmont audit, there hasn’t been much evidence of stepped-up enforcement. But now a stringent “resolution agreement” signed in July by the agency and Seattle-based Providence Health & Services is generating the same kind of buzz among health care providers that the Piedmont audit did.
On July 15, Providence agreed to adopt a so-called corrective action plan (CAP) and pay $100,000 to settle what HHS described as “potential violations” of the Health Insurance Portability and Accountability Act’s requirements forsafeguarding electronic patient data.
The resolution agreement — the first of its kind under HIPAA — stemmed from theloss or theft of laptops, optical discs and backup tapes containing the unencrypted medical records of more than 386,000 Providence patients. On several occasions in 2005 and 2006, equipment was reported missing after workers took it out of the office with them.
Under the CAP (download PDF), Providence has to revamp its security policies to include physical protections for portable devices and for the off-site transport and storage of backup media. It also is required to implement technical safeguards, such as encryption and password protection. And the not-for-profit health system, which has operations in five western states, must conduct random compliance audits and submit compliance reports to HHS for the next three years.
In addition, the agreement calls for Providence’s chief information security officer to personally validate that all required policies have been put in place and that all employees have been trained on adhering to them. The CISO also has to attest that all backup media and portable devices containing health information protected by HIPAA are properly secured.
Significantly, the CAP precludes Providence Health from contesting the validity of or appealing any of its obligations under the agreement. The settlement is getting considerable attention within the health care industry because of the tough terms and conditions that the deal imposed on the provider.
“The CAP gives us some indication that the bar is being raised when it comes to HIPAA compliance,” said Lisa Gallagher, director of privacy and security at the Healthcare Information and Management Systems Society (HIMSS) in Chicago. “This is a fairly serious corrective action plan.”
The security action items that Providence Health & Services agreed to include the following:
- Revise policies and procedures for safeguarding patient data while it is stored at or being transported to off-site facilities.
- Train all workers on security policies and submit proof to HHS that the training has been completed.
- Update policies as needed, but at least on an annual basis.
- Ensure that a security risk assessment and management plan and a data breach notification policy are in place.
- Conduct reviews that include unannounced audits, spot checks and site visits at company facilities.
Source: U.S. Department of Health and Human Services
Gallagher added that the deal with Providence sends a clear message to other health care providers that HHS is finally cracking down on HIPAA violators, after having been accused of lax enforcement in the past.
The harder line is in keeping with an announcement in January that the Centers for Medicare & Medicaid Services (CMS), the HHS unit responsible for administering the HIPAA security rules, had hiredPricewaterhouseCoopers to conduct audits on its behalf. At the time, the CMS said it planned to do 10 to 20 audits this year at organizations that had been the target of complaints about their data security practices.
According to Gallagher, the CMS is expected to release findings from those audits early next year. It also plans to highlight violation trends and provide guidance on the biggest problems that health care providers are having in implementing the controls required by HIPAA. “As far as I know, they are under way with these audits,” she said.
Gallagher also expects the CMS to start working more closely on enforcement with the HHS Office of Civil Rights, which administers the data privacy rules set by HIPAA.
As of press time, the CMS had yet to respond to questions that were sent via e-mail, as an agency spokesman had requested. Providence officials also asked that questions be sent via e-mail but also hadn’t responded.
Peter MacKoul, president of HIPAA Solutions LC, a consulting firm in Sugar Land, Texas, agreed with Gallagher that the Providence settlement was a dramatic example of the potential consequences of HIPAA violations.
“If you look at what they’re being forced to do, it’s scary,” he said. “They have lost their ability to contest anything; there’s no way of getting out of this agreement. And this is the best deal they could get.”
MacKoul added that while Providence was audited for data security violations, many of the corrective actions it is being required to implement fall into the privacy realm, showing that HHS is making little distinction between privacy and security for compliance purposes.
And based on the terms of the CAP, organizations that have to comply with HIPAA shouldn’t be lulled into complacency by the previous lack of enforcement, MacKoul warned. “If I were a covered entity, I wouldn’t want to roll the dice and get caught up in something like this,” he noted.
The resolution agreement does appear to be a belated attempt by HHS to get the health care industry to take HIPAA more seriously, said Chris Apgar, president of consulting firm Apgar & Associates LLC in Portland, Ore. “I think it’s about time they used somebody as an example,” he said.
Even so, it’s unrealistic to expect a large increase in the number of HIPAA enforcement actions in the near term, according to Apgar and other analysts. Such actions are triggered only when complaints are lodged against organizations. HHS has no HIPAA cops who are actively looking for violations, and health care providers aren’t required to report internal violations themselves.
Also, neither the CMS nor the HHS Office of Civil Rights has anywhere near the resources or the funding needed to investigate all of the complaints that are filed. As a result, examples such as the settlement deal with Providence will likely continue to be more the exception than the rule, Apgar said.
In fact, one of the primary reasons why Providence was investigated in the first place no doubt was the publicity generated by the incidents involving lost IT equipment, said Randy Yates, director of security at Memorial Hermann Healthcare System in Houston.
“Once something that large hits the media, the government is bound to do something,” Yates said. “[The CAP] puts out a message that says, ‘We see this thing, and we don’t like it.'”
Often, enforcement actions are important because they get the attention not just of those in charge of implementing privacy and security policies, but also of those who control the purse strings within organizations. Last year, for instance, the audit at Piedmont Hospital contributed to the approval of a $1.3 million budget item for data encryption at Memorial Hermann.
But if the investigations are as sporadic as they have been in the past, the buzz generated will fade away quickly, said Christopher Paidhrin, IT security officer at ACS Healthcare Solutions, a Dearborn, Mich.-based unit of Affiliated Computer Services Inc.
Paidhrin noted that the Piedmont audit last year initially raised a considerable amount of concern among health care providers. But most of that concern eventually melted away when the expected increase in enforcement actions failed to materialize. The same thing will likely happen in the aftermath of the Providence Health settlement, he said — unless HHS takes additional actions elsewhere and publicizes them to the same extent.