Tag Archives: corrective action plan

$100,000 HIPAA Fine – Way Too Little, and Way Too Late

After more than five – FIVE – years of the HIPAA rules, and bazillions of small private practices of doctors, dentists, chiropractors, optometrists, shrinks, etc., NOT being compliant with the rules, and bazillions more patients who have no clue what their HIPAA healthcare privacy rights are, HHS finally got off their heinie and fined a hospital system in Washington State because it kept leaving those pesky laptops lying around, getting stolen, and not doing anything about it.  More than 386,000 patients’ healthcare information was lost on those laptops.  (Note to self — isn’t almost every loss of patient information lately been due to the loss of a laptop?  Must investigate why hospitals let members of their workforce walk out the door with laptops full of patient data. . .)

But wait – what’s that you say?!  It’s not a fine??  Why, by gosh and by golly, you’re right.  HHS has declined to call this a “fine” – they’re calling it a Resolution Amount.  Oh.  Yeah, that makes it all better.

Here’s how HHS describes it: “In the agreement, Providence agrees to pay $100,000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss. The Resolution Agreement relates to Providence’s loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006. . .

“On several occasions between September 2005 and March 2006, backup tapes, optical disks, and laptops, all containing unencrypted electronic protected health information, were removed from the Providence premises and were left unattended. The media and laptops were subsequently lost or stolen, compromising the protected health information of over 386,000 patients. HHS received over 30 complaints about the stolen tapes and disks, submitted after Providence, pursuant to state notification laws, alerted patients to the theft. Providence also reported the stolen media to HHS. OCR and CMS together focused their investigations on Providence’s failure to implement policies and procedures to safeguard this information.

“As a result, Providence agrees to pay a $100,000 resolution amount to HHS and implement a robust Corrective Action Plan that requires: revising its policies and procedures regarding physical and technical safeguards (e.g., encryption) governing off-site transport and storage of electronic media containing patient information, subject to HHS approval; training workforce members on the safeguards; conducting audits and site visits of facilities; and submitting compliance reports to HHS for a period of three years.”

After pulling up the handy calculator that Microsoft ® XP ® so nicely provides, I’ve calculated that each patient’s healthcare info was worth, let’s see, 100,000 divided by 386,000 =  about .259; which is 25.9¢.  Is that right?  Let’s check: (.259)(386000) = 99,974.  Okay, close enough. 

What this means is, if you were one of those folks whose healthcare information was stolen because Seattle-based Providence Health & Services couldn’t get its act together over a more than two-year period and ENCRYPT the data contained on the laptops, tapes, etc., or even PREVENT them from being stolen in the first place (GPS locator, anyone?  Sheesh, even my cell phone has one.), your healthcare info was worth a measly 25.9¢. 

All I can say is: wow.

Whether you’re a Democrat or a Republican or a Libertarian, or a Green, or an Independent, etc., a radical change in leadership at the level of the Cabinet position of Secretary of Health & Human Services (HHS) is called for.  You and your family’s health information has got to be worth more than a little over a quarter.  Really.

So, think carefully and VOTE.

I blog regularly about the HIPAA Privacy & Security Rules.  If you’ve got a question about the privacy of your healthcare records, email me at hipaadiva@yahoo.com.  I would be happy to help you if I can.