Q&A

Providence Health CSO on Recovering From HIPAA Violations

Eric Cowperthwaite, CSO of Seattle-based Providence Health & Services, opens up about the organization's efforts to bounce back from HIPAA violations.

By Bill Brenner, Senior Editor

August 11, 2008 — CSO — Providence Health & Services has the uncomfortable distinction of being the first organization penalized for violating the privacy section of the federal Health Insurance Portability and Accountability Act (HIPAA).

The Seattle-based organization, which operates a health plan and several hospitals, recently agreed to fork over $100,000 and make good on a systems improvement plan as part of a deal with the U.S. Department of Health & Human Services (HHS) to settle allegations it lost laptops and electronic backup programs with individually identifiable health information in 2005 and 2006.

According to published reports, HHS investigated Providence Health after it fielded more than 30 complaints from those whose information was compromised when unencrypted laptops, optical disks and backup tapes went missing after being left unattended between September 2005 and March 2006. In all, 386,000 patients were exposed to potential identity fraud.

In this Q&A, Providence Health CSO Eric Cowperthwaite (who was hired in 2006) explains the steps the organization has taken to ensure such a security lapse doesn't happen again.

CSO: Let's start with a description, from your perspective, of what happened.
Eric Cowperthwaite: There's a fair amount of information publically available, but other than that we're being pretty cautious about what we're willing to talk about [due to ongoing legal issues].

Do you feel the agreement with HHS is fair toward Providence Health?
Cowperthwaite: The agreement includes a corrective action plan that, in my opinion, recognizes that we have an ongoing security program that has been focused on improving and strengthening our security capabilities and our ability to protect patient information. The fact that HHS didn't require us to have third-party oversight as we developed and implemented the plan is significant. With agreements like this you often see that sort of oversight included. I think it shows that HHS recognizes our focus to improve security.

What are the main problems your action plan seeks to address?
Cowperthwaite: Areas of significant risk include the mobility of data, the data access internal employees have and making sure it is appropriate based on their role, and having the ability to detect and react to an incident in a timely manner. These are among the main components of the corrective action plan.

Let's look at this from the patient's perspective. When they use your online system, is there anything they will notice in the user experience that's a direct result of the security improvements you've put in place?
Cowperthwaite: There is no change to the user experience. The changes are really behind the scenes. In our security program one thing you see is the need to know who has access to health information and whether they should have that access. We have to know who has access to the patient's data. If there's an improper use of data it's our responsibility to determine how it happened so it doesn't happen in the future.