A county government in Washington state agreed to pay $215,000 in a settlement with the U.S. Department of Health and Human Services, after its report of a minor breach led to an HHS investigation that found “general and widespread noncompliance” with HIPAA privacy and security rules.
The incident originally reported by Skagit County, Wash., in 2011 involved money receipts from the county’s Public Health Department, which had been inadvertently moved to a publicly accessible server maintained by the county. The county reported that just seven individuals had been affected, but when HHS’ Office for Civil Rights investigated, it found that in fact the electronic protected health information of 1,581 recipients had been exposed, including sensitive information like “the testing and treatment of infectious diseases.”
OCR alleged not only that this breach itself violated HIPAA’s privacy rules — and that Skagit County should have notified all 1,581 affected individuals rather than just the seven — but also that since the original security rules’ 2005 compliance deadline, the county had failed to implement, maintain or train personnel on compliant security policies and procedures.
“This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size,” Susan McAndrew, OCR deputy director of health information privacy, said March 7 in announcing the settlement. “These agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information,” she said.
Like most “resolution agreements” to date, the settlement includes a corrective action plan. Skagit County must provide substitute notification of the breach to affected individuals not previously notified, ensure that the breach is included in any accounting of disclosures and document its health care components and their business associates. The county also must conduct, document and submit the general risk analysis and management steps required by the security rules, along with the related policies, procedures and training.
County’s Response
In a statement, Skagit County indicated that it acted aggressively to remove the receipts from public exposure, and had invested “significant resources” to step up PHI security since then. These receipts did not contain full credit card numbers, Social Security numbers, birth dates or addresses, the county added.
“Skagit County understands the importance of safeguarding our patients’ personal information and takes this responsibility very seriously,” said Donnie LaPlante, the county’s privacy officer. “We regret that this incident occurred, and are committed to preventing any future occurrences.”
The growing tally of HIPAA enforcement actions is detailed in the Employer’s Guide to HIPAA Privacy Requirements.