The U.S. Department of Health and Human Services (HHS) sent a strong message to local governments last week when it reached a settlement with Skagit County, Washington over alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). This is the first time that HHS has settled charges against a local—and not state level—government entity for HIPAA violations (in a prior HIPAA enforcement action, HHS reached a settlement with Alaska’s state Medicaid agency).
The charges stem from a data breach in September 2011 involving the electronic protected health information (ePHI) of 1,581 individuals served by the Skagit County Public Health Department. This breach prompted the HHS Office for Civil Rights (OCR) to investigate the county’s privacy and security practices, which resulted in OCR discovering “widespread non-compliance” with the HIPAA Privacy, Security, and Breach Notification Rules. On March 6, the investigation culminated in a resolution agreement that requires Skagit County to pay $215,000 and adhere to a stringent remediation and reporting program.
The investigation began on December 9, 2011 when Skagit County, home to approximately 118,000 residents in northern Washington, reported to HHS that it had inadvertently provided public access to the ePHI of seven individuals. This minor breach soon escalated into a comprehensive investigation when HHS discovered that Skagit County had inadvertently uploaded files containing the ePHI of 1,581 individuals onto a public web server. This mistake gave web browsers public access to a wide range of ePHI, including sensitive health information about the testing and treatment of infectious diseases. The public access, which lasted from September 14 until September 28, 2011, was deemed by OCR to be a violation of the Privacy Rule. In addition to violating the Privacy Rule, OCR discovered several alleged Security Rule violations, including:
- Skagit County Had Insufficient Risk Management Policies. The county allegedly failed to implement sufficient policies and procedures to prevent, detect, contain, and correct security violations;
- Skagit County Had Insufficient Security Policies. The county allegedly failed to implement and maintain documented policies and procedures reasonably designed to ensure compliance with the Security Rule; and
- Skagit County Had an Inadequate Security Training and Awareness Program. The county allegedly failed to provide appropriate security awareness and training to its workforce members, including its Information Security staff members.
OCR also charged Skagit County with violations of the Breach Notification Rule based on finding that the county failed to notify all of the individuals whose ePHI had been compromised as a result of the breach.
Skagit County chose to settle these charges, agreeing to pay a $215,000 resolution amount and to adhere to a Corrective Action Plan (CAP) that requires implementing strict remediation procedures and providing annual compliance reports to OCR for approximately three years. Under the CAP, Skagit County must provide substitute breach notification (via print or broadcast media and posting on its website home page) to the individuals whose ePHI was compromised due to the breach, but who have yet to receive individual notification. It also requires the county to implement accounting of disclosures procedures, which must be approved by HHS. Furthermore, the CAP provides several security-related requirements, including:
- Conduct Risk Assessments and Implement a Vulnerability Management Program. The CAP requires the county to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the county, and then to implement security measures sufficient to reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level.
- Implement a Security Training and Awareness Program. Under the CAP, the county is required to provide HIPAA training to all workforce members with access to ePHI upon hire and on a continuing basis.
- Implement an Incident Response and Reporting Program. The County is required to investigate all reports identifying potential workforce violations of its Privacy, Security, and Breach Notification policies and procedures, and to notify HHS regarding any actual violations found.
With this settlement, HHS has now entered into 17 resolution agreements since 2008 with covered entities (and in one case, HHS imposed a civil money penalty). But resolution agreements are not the only HIPAA enforcement mechanisms being used by HHS. HHS is gearing up to begin a new round of HIPAA audits in 2014, recently announcing its plan to survey up to 1,200 covered entities and business associates in order to assess their suitability for an audit. And HHS is not the only cop on the beat, as state and territory agencies have also ramped up their own enforcement of the HIPAA Rules, including the $6.8 million fine issued last month by the Puerto Rico Health Insurance Administration against Puerto Rican insurer Triple S Salud. This increased enforcement environment reinforces the HHS message that local and county governments, regardless of their size, “need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.”
Special thanks to Adam Solomon, an associate in our Washington, D.C. office, for his substantial assistance in the preparation of this entry.