On March 7, 2014, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $215,000 settlement with Skagit County, Washington, following a security breach that affected approximately 1,600 individuals.
The HHS Office for Civil Rights (“OCR”) investigated Skagit County after learning that unauthorized individuals had accessed receipts containing the protected health information (“PHI”) of patients of Skagit County’s Public Health Department. The receipts had been mistakenly stored on a publicly accessible server. During the investigation, OCR discovered that more PHI had been exposed in the incident, including information regarding the testing and treatment of infectious diseases. In the resolution agreement, OCR alleged that Skagit County had violated (1) the Privacy Rule by improperly disclosing PHI, (2) the Breach Notification Rule by not notifying all affected individuals, and (3) the Security Rule by failing to implement policies and procedures to prevent security violations and ensure compliance with the Security Rule and by not training its workforce.
Pursuant to the resolution agreement, Skagit County has agreed to pay a $215,000 settlement to HHS. In addition, the Corrective Action Plan attached to the resolution agreement requires Skagit County to:
- provide substitute breach notification in print or broadcast media to all of the individuals affected by the incident;
- submit its accounting of disclosures procedure, hybrid entity documentation and sample business associate agreement to HHS for review;
- conduct a risk analysis as required by the Security Rule;
- create or revise its HIPAA policies and procedures; and
- provide HIPAA training to its workforce.
In announcing the resolution agreement, Susan McAndrew, Deputy Director of Health Information Privacy at OCR, stated that the case “sends a strong message” to local and county governments that they must “adopt a meaningful compliance program to ensure the privacy and security of patients’ information.”