$100,000 HIPAA Fine – Way Too Little, and Way Too Late

After more than five – FIVE – years of the HIPAA rules, and bazillions of small private practices of doctors, dentists, chiropractors, optometrists, shrinks, etc., NOT being compliant with the rules, and bazillions more patients who have no clue what their HIPAA healthcare privacy rights are, HHS finally got off their heinie and fined a hospital system in Washington State because it kept leaving those pesky laptops lying around, getting stolen, and not doing anything about it.  More than 386,000 patients’ healthcare information was lost on those laptops.  (Note to self — isn’t almost every loss of patient information lately been due to the loss of a laptop?  Must investigate why hospitals let members of their workforce walk out the door with laptops full of patient data. . .)

But wait – what’s that you say?!  It’s not a fine??  Why, by gosh and by golly, you’re right.  HHS has declined to call this a “fine” – they’re calling it a Resolution Amount.  Oh.  Yeah, that makes it all better.

Here’s how HHS describes it: “In the agreement, Providence agrees to pay $100,000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss. The Resolution Agreement relates to Providence’s loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006. . .

“On several occasions between September 2005 and March 2006, backup tapes, optical disks, and laptops, all containing unencrypted electronic protected health information, were removed from the Providence premises and were left unattended. The media and laptops were subsequently lost or stolen, compromising the protected health information of over 386,000 patients. HHS received over 30 complaints about the stolen tapes and disks, submitted after Providence, pursuant to state notification laws, alerted patients to the theft. Providence also reported the stolen media to HHS. OCR and CMS together focused their investigations on Providence’s failure to implement policies and procedures to safeguard this information.

“As a result, Providence agrees to pay a $100,000 resolution amount to HHS and implement a robust Corrective Action Plan that requires: revising its policies and procedures regarding physical and technical safeguards (e.g., encryption) governing off-site transport and storage of electronic media containing patient information, subject to HHS approval; training workforce members on the safeguards; conducting audits and site visits of facilities; and submitting compliance reports to HHS for a period of three years.”

After pulling up the handy calculator that Microsoft ® XP ® so nicely provides, I’ve calculated that each patient’s healthcare info was worth, let’s see, 100,000 divided by 386,000 =  about .259; which is 25.9¢.  Is that right?  Let’s check: (.259)(386000) = 99,974.  Okay, close enough. 

What this means is, if you were one of those folks whose healthcare information was stolen because Seattle-based Providence Health & Services couldn’t get its act together over a more than two-year period and ENCRYPT the data contained on the laptops, tapes, etc., or even PREVENT them from being stolen in the first place (GPS locator, anyone?  Sheesh, even my cell phone has one.), your healthcare info was worth a measly 25.9¢. 

All I can say is: wow.

Whether you’re a Democrat or a Republican or a Libertarian, or a Green, or an Independent, etc., a radical change in leadership at the level of the Cabinet position of Secretary of Health & Human Services (HHS) is called for.  You and your family’s health information has got to be worth more than a little over a quarter.  Really.

So, think carefully and VOTE.

I blog regularly about the HIPAA Privacy & Security Rules.  If you’ve got a question about the privacy of your healthcare records, email me at hipaadiva@yahoo.com.  I would be happy to help you if I can.



2 responses to “$100,000 HIPAA Fine – Way Too Little, and Way Too Late

  1. On the Providence story… and what do you think would be an appropriate fine? And why?

    The story of the laptop theft aside for a moment, as a not-for-profit health system which provides hundreds of millions of dollars in health care back to the communities it serves, would the common good be better served if a million dollar fine transferred some of that money to the government? Your .29 calculation fails to consider the millions that were spent by Providence to provide credit safeguards to patients whoes records were exposed. And the millions more spent on taking corrective actions – which, yes, should have been taken earlier in the form of proactive safeguards.

    I just think you are lashing out at the wrong people here.

    Barb Wilson
    Madras, Oregon

  2. I think the common good would have been served had Providence put into place appropriate safeguards for the information on the laptops after the *first* one was stolen, not *two years later* when the problem became so egregious that they felt it necessary to report the problem to HHS themselves.

    Respectfully, who should we lash out at here? Providence — who spent $100,000 on a fine, plus tens of thousands, if not much more, mitigating the results of their lax internal behavior which put the identities, health information, and potentially insurance information of 386,000 people at risk over a period of years? Or. . . who?

    How would all that money have been better spent — particularly if Providence had ensured that the money didn’t have to be spent in the first place? I think it would have been better spent on the care of its patients, not in mitigating this profound lapse in Providence’s management’s judgment.

    Yes, I think the the folks who didn’t step up to the plate should take the heat. That includes Providence, for the obvious reasons, and HHS, for not enforcing the Privacy & Security Rules much earlier. Had HHS made it clear that they themselves took the rules seriously, maybe the covered entities would do so, too.

    And you’re right, I only considered the value of the fine against the individuals’ health information.

    Thanks very much for your comments, Barb, they are much appreciated.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s