Two years ago, I wrote that I was "puzzled, bordering on angry, that, (i)n the three years since Americans gained federal protection for their private medical information, the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases."
Be careful what you wish for:
"WASHINGTON - The Department of Health and Human Services has levied a $100,000 fine on Seattle-based Providence Health and Services for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules."
According to its web site, Providence isn't an insurer, per se, but a "not-for-profit health system" which includes hospitals, clinics, physicians, even a university. They both provide and finance health care, so make of that what you will.
In the event, Providence was cited for a number of violations, including "unprotected backup tapes, optical disks and laptops, [which] compromised the protected health information of more than 386,000 patients." That's a lot of PHI.
If you'd like to see a copy of the agreement itself, just click here.
What I found to be even more interesting was this little factoid:
"The OCR [Office for Civil Rights] and the Centers for Medicare & Medicaid Services report they have successfully resolved more than 6,700 HIPAA Privacy and Security Rule cases." I recently had my own experience with a carrier and PHI, and ended up filing such a claim (which was later resolved to my satisfaction), and it surprised me that the process itself is generated from the OCR website. And, as noted above, it looks like the gummint's been a bit more proactive in cracking down on these violators.
And that's a good thing.
[H/T: Regular Reader Fred W]