Providence Health Care Case Study

On July 16, 2008 Seattle based Providence Health and Services settled with

HHS (Health and Human Services) agreeing to pay them 100,000.00 and implement a detailed Corrective Action Plan (CAP) for violations that occurred on several occasions between Sept. 2005 and March 2006 when Providence employee’s removed backup tapes, optical disks, and laptops, all containing unencrypted electronic protected health information (ePHI) from hospital premises which were later lost or stolen. However, Providence’s cooperation with OCR and CMS enabled HHS to resolve this issue, without imposing any civil monetary penalty against Providence even though ePHI for 386,000 patients was compromised. The CAP that was implemented required Providence to provide training

in processes and procedures to employees, as well as ensuring monitoring, policy adherence, and breach procedures. If it was determined that Providence failed to meet these guidelines, then HHS would proceed with the imposition of the civil money penalty. There was a Tolling of statute of limitations set for a civil money penalty that must be imposed within six years, from the date of the occurrence of the violation.
I feel that the patient’s in this case were not even considered. There were 386,000 patients whose identifiable information was compromised. Their birth dates, SSN, addresses, and license numbers are all information that anyone could use to obtain, false identification, or obtain credit in someone’s name. The impact that could be felt on these patient’s credit histories could last for years to come. I also feel, that this could impact the relationship that one has between themselves and their doctor. If there is not a strict and forceful punishment to detour health facilities from being so lax, it could impede some people from seeking needed health care, due to concern for privacy. I would at the very minimum recommend that Providence be required to offer each patient a bi-yearly credit check, and if it was found that the patients identity had been stolen, that Providence pay for any fees or bad debt that had been incurred due to their error. I would also, require Providence to work with the patient to clear their credit and restore it back to the state it was when the breach occurred for a minimum of 6 years which is the same amount time as the Tolling statute of limitations.
On January 16, 2009 CVS Pharmacy/Caremark reached an agreement with HHS to settle potential violations of the HIPPA privacy rule.

CVS/Caremark agreed to pay $2.5 million and implement a detailed CAP to ensure that protected health information of its customers was disposed of properly. It was reported by a media source that CVS’s employees were throwing away old prescriptions and labels from pill bottles into unsecured dumpsters that the public had access to. CVS/Caremark is one of the largest pharmacy chains and pharmaceutical distributors in the country with over 6,300 stores. Upon completion of the investigation conducted by HHS and the Federal Trade Commission (FTC) it was revealed that although CVS had provided training to its employee’s it was not sufficient to cover the disposal of non-electronic PHI consistent with the Privacy

Rule.
CVS agreed to follow a CAP and oversight from HHS for 3 years, and also will require monitoring by the FTC for 20 years. The CAP will require CVS to have written policies and procedures on how training will be implemented as well as written and electronic documentation evidence that training occurred. The CAP also stipulated that CVS was to provide training to all its employees, within a minimum amount of time after being hired, and documentation was to be on file and available to the Office of Civil Rights (OCR) at all times during business hours. There were also requirements for accessors, retention and internal reporting.
I believe that in this case that the ruling is fair. Only because on a pill bottle or a prescription, there is minimal amount of information. Typically, there would only be your name, your address and what you are taking. While I agree this is definitely a privacy violation, there is not any secondary damage that could happen by the information being thrown in the dumpster. Even though the judgement for $2.5 million, I feel that amount of money is just a drop in the bucket for CVS/Caremark. More than likely the sanctions that followed will be the reason that they will not violate the Privacy Rule again. Having the FTC on your doorstep for the next 20 years is enough to get anyone’s attention.
On September 27, 2010 what was believed to be at that time the biggest settlement to date, HHS and OCR completed an investigation of New York and Presbyterian Hospital (NYP) and Columbia University (CU) regarding a complaint by an individual who found their deceased partners ePHI on the internet, who had been a former patient of NYP. It was discovered that NYP and CU participated in a joint arrangement in where CU faculty members served as attending physicians at NYP. The affiliation was referred to as “New York Presbyterian Hospital/Columbia University Medical Center”. During this affiliation they operated a shared data network, and network firewall. This was used by both entities to access patient ePHI information, and other information such as Patient status, vital signs, medications and laboratory results. The investigation revealed that a breach occurred when a physician deactivated his personally-owned computer server on the network containing information on 6800 NYP patient ePHI. This physician was employed by CU and was the developer of the application that linked the two sites. There were no technical safeguards in place, when this happened and neither entity ran an accurate risk analysis to ensure that NYP ePHI was secure. As a result, neither entity developed a Risk management plan to address possible threats to NYP’s ePHI. Also, NYP failed to follow their own policies that they had implemented for information access management.
NYP agreed to pay $3,300,000.00 and CU agreed to pay $1,500,000.00 and both will follow a CAP which includes a Risk management plan, Risk analysis plan. Both will revise their policies and procedures, and be required to train staff as well as provide progress reports. In regards to the Tolling statute of limitations, the civil money penalty must be imposed within six years of the date of the occurrence.
While, I feel the punishment was harsh enough, I still don’t feel as though the patients are being considered.

It is obvious in all three investigations that the patients are left to fight their court cases alone. When HHS, does these investigations they spend the tax payer’s money, and the money that they get from fining these health care facilities. Why is there no accommodations made for the patients? After all, that is the reason HHS, FTC and OCR are in business. I also feel that we should have a department that is set up to handle these cases, with lawyers to fairly prosecute these large companies for not following our laws correctly. I feel that as an individual it would seem like a very daunting task to win a judgement against a big corporation like New York Presbyterian, or CVS/Caremark even though the judgements against them will almost insure victory for the patients. I feel the government should stand behind these patients, and help them through a problem that could last for years. These days identity theft is on the rise. If we cannot expect the companies that require us to provide this information to process our claims, to handle it properly, then there should be recourse that doesn’t require long court

battles