- As part of the first the first HIPAA violation settlement with a county government, the Department of Health and Human Services (HHS) announced today that Skagit County of Northwest Washington, agreed to a $215,000 monetary settlement and to work closely with HHS on a HIPAA compliance program.
According to HHS, the Skagit County Public Health Department, which offers services to individuals who would otherwise not be able to afford healthcare, violated the HIPAA Privacy, Security, and Breach Notification Rules and affected 1,581 individuals. OCR began investigating Skagit County on December 9, 2011 upon receiving a breach report asserting that money receipts with seven individuals’ electronic protected health information (ePHI) had been accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible County server. The investigation shed light on the fact that may of the patients’ accessible files involved sensitive information, such as PHI involved with the testing and treatment of infectious diseases.
The breach occurred from September 14, 2011 until September 28, 2011. Here is the laundry list of violations in the Skagit County settlement agreement:
- From November 28, 2011 until present, Skagit County failed to provide notification as required by the Breach Notification Rule.
- From April 20, 2005 until present, Skagit County failed to implement sufficient policies and procedures to prevent, detect, contain, and correct security violations.
- From April 20, 2005 until June 1, 2012, Skagit County failed to implement and maintain in written or electronic form policies and procedures reasonably designed to ensure compliance with the Security Rule.
- From April 20, 2005 until present, Skagit County failed to provide security awareness and training to all workforce members, including its Information Security staff members, as necessary and appropriate for the workforce members to carry out their functions within Skagit County.
“This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size,” said Susan McAndrew, deputy director of health information privacy at the HHS Office for Civil Rights (OCR). “These agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.”
Skagit County will work with OCR on a corrective action plan (CAP) to ensure it has in place written policies and procedures, documentation requirements, training, and other measures to comply with the HIPAA Rules. This corrective action plan also requires Skagit County to provide regular status reports to OCR, as it agreed to the following:
- Provide substitute breach notification to affected individuals not previously notified
- Provide to HHS for its review and approval a description of its procedure that ensures that the content of any accounting of disclosures provided pursuant to 45 C.F.R. § 164.528 (within 30 days of effective date)
- Submit for HHS’s review and approval hybrid entity documents designating its covered health care components in accordance with 45 C.F.R. §164.105. (within 60 days of effective date)
- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI
- Create and revise, as necessary, written policies and procedures for its covered health care components to comply with Federal privacy and security standards
- All workforce members of Skagit County’s covered health care components who have access to ePHI shall receive general Privacy, Security, and Breach Notification Rule training
- During each Reporting Period under this CAP, Skagit County shall, upon receiving information that a workforce member of a covered health care component may have failed to comply with its Privacy, Security, and Breach Notification policies and procedures, promptly investigate the matter.
Read the full CAP here.