This article originally appeared in the December 2008 IADC Medical Defense and Health Law Committee Newsletter.
On August 21, 1996, Congress enacted the Health Insurance Portability and Accountability Act ("HIPAA") (P.L. No. 104-191) which required the U.S. Department of Health & Human Services ("HHS") to adopt, among other things, national standards that protect the confidentiality and integrity of electronic protected health information ("ePHI"). The standards--known as the HIPAA Security Rule--were published on February 20, 2003, and regulate and safeguard ePHI when it is stored or transmitted by health plans and most health care providers (referred to as HIPAA "covered entities"). Charged with HIPAA Security Rule oversight and enforcement, the Centers for Medicare & Medicaid Services ("CMS") has the authority and responsibility to: (1) interpret, implement, and enforce the HIPAA Security Rule provisions; (2) conduct compliance reviews and investigate and resolve complaints of Security Rule violations; and (3) impose civil monetary penalties for a covered entity's failure to comply with the Security Rule.
Security Rule Oversight and Enforcement
Over the last year, CMS' oversight and enforcement of covered entities' HIPAA Security Rule implementation and compliance has been in the spotlight. In January 2008, Government Health IT reported that CMS would soon begin conducting Security Rule compliance reviews at 10-20 large U.S. hospitals. This announcement was made by Tony Trenkle, director of CMS' Office of E-Health Standards and Services ("OESS"), during a keynote address on Security Rule compliance and OESS activities. Government Health 17" also advised that PriceWaterhouseCoopers--a national accounting and consulting firm--had been tapped by CMS to assist with these review efforts.
In July 2008, in the first case of its kind, CMS announced that Seattle-based Providence Health & Services ("Providence") had entered into a Resolution Agreement with the federal government to settle potential violations of both the HIPAA Privacy Rule and Security Rule. (The incidents giving rise to the agreement stemmed from the apparent removal of backup tapes, optical disks, and laptops from Providence between September 2005 and March 2006--all of which contained ePHI.) In the settlement, Providence agreed to pay a $100,000 resolution amount and implement a detailed Corrective Action Plan to ensure that it would appropriately safeguard identifiable ePHI...