News Feature | March 18, 2014

HHS Fines Washington County Government $215,000 For HIPAA Violations

Christine Kern

By Christine Kern, contributing writer

HIPAA Violations

Skagit County to pay $215,000 to settle health information security violations

The National Law Review reports that Skagit County, WA has agreed to pay $215,000 and comply with a three-year corrective action plan to settle potential violations of the privacy and security rules under HIPAA. The punishment was originally announced by HHS.

HHS stated Skagit County, in addition to paying the $215,000 fine, will work closely with HHS to correct deficiencies in its HIPAA compliance program.  Located in Northwest Washington, Skagit County is home to approximately 118,000 residents. The Skagit County Public Health Department provides essential services to many individuals who would otherwise not be able to afford health care.

“This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size,” said Susan McAndrew, deputy director of health information privacy at the HHS Office for Civil Rights (OCR).  “These agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.”

Entities covered by HIPAA include cities and counties and, as this case illustrates, the consequences for possible non-compliance can be severe.

The OCR investigation was launched against Skagit County and its Department of Public Health in 2011, after receiving “a breach report that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County.” The investigation uncovered the transfer of the ePHI of some 1,581 individuals, many of which included files about the testing and treatment of infectious diseases.

According to the Resolution Agreement, Skagit County allegedly failed to provide notification, as required by the HIPAA Breach Notification Rule, to all affected individuals for whom it knew or should have known that the privacy or security of the individuals’ ePHI had been compromised.

The OCR’s enforcement activity uncovered “general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules.” The investigation opened files going back to April 20, 2005 (the effective date of the security rules) and found alleged non-compliance with certain requirements of the rules, including the failure to maintain written policies and train employees.

Since the Skagit County Public Health Department provides essential services to individuals who otherwise would not be able to afford health care, the $215,000 payment to OCR certainly will be a hit to the Department’s budget and the services it provides. However, Skagit County continues to cooperate with OCR through a corrective action plan to ensure it has in place written policies and procedures, documentation requirements, training, and other measures to comply with the HIPAA Rules.  This corrective action plan also requires Skagit County to provide regular status reports to OCR.

The Resolution Agreement can be found on the OCR website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/skagit-agreement.html.

The lesson from this case is that cities, counties and other public sector entities that perform HIPAA-covered functions are also subject to the HIPAA regulations, and they should review their policies and procedures to ensure compliance. Basic components of an effective program include risk assessment, written policies and procedures, training, breach response plan, and documentation.