The Department of Health and Human Services (HHS) recently announced its first settlement with a county government over violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. Skagit County, Washington, with a population of 118,000, agreed to pay a monetary settlement amount of $215,000 and work with HHS to improve Skagit County’s HIPAA compliance procedures.
The case came after an investigation by the HHS Office for Civil Rights (OCR) revealed widespread HIPAA noncompliance on the part of the County. OCR began investigating Skagit County after it received a breach report that electronic protected health information (ePHI) had been inadvertently made public when the ePHI was placed on the county’s public web server. This resulted in the public access of ePHI of seven people. Upon investigating, OCR discovered that even more protected health information had been potentially exposed during the incident than initially thought, including the ePHI of 1,581 individuals and sensitive information such as testing and treatment of infectious diseases.
OCR’s investigation concluded that there was widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules. In addition to the settlement terms imposed on the County, the County is also to provide regular status reports to OCR and continue to cooperate with OCR to ensure that it maintains procedures that comply with HIPAA requirements.
TIP: Even if not a government agency, this case is a reminder that after reporting a breach, the entity reporting may find its data security and protection measures closely scrutinized.