To start 2014, HHS OCR issued its first resolution agreement of the year and its first settlement with a county government—signaling that even local and county governments, regardless of size, must safeguard the privacy and security of patient information in compliance with HIPAA.

Skagit County, Washington (County), located in northwest Washington with approximately 118,000 residents, agreed to settle potential violations of the HIPAA Privacy, Security, and Breach Notification Rules with a $215,000 monetary payment and a three-year corrective action plan (CAP). The Skagit County Public Health Department provides essential services to residents who are unable to afford healthcare. The resolution agreement stems from the County’s December 9, 2011, notification to HHS OCR that money receipts with ePHI of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County.

On May 25, 2012, OCR notified the County of its investigation and indicated that:

  • from approximately September 14, 2011, until September 28, 2011, the County disclosed the ePHI of approximately 1,581 individuals (not just seven individuals as initially reported); the accessible files involved sensitive information, including PHI concerning the testing and treatment of infectious diseases;
  • from November 28, 2011, to the date of the resolution agreement, the County failed to provide notification as required under the Breach Notification Rule; from April 20, 2005, to the date of the resolution agreement, the County failed to implement sufficient policies and procedures to prevent, detect, contain and correct security violations;
  • from April 20, 2005, until June 1, 2012, the County failed to implement and maintain, in written or electronic form, policies and procedures reasonably designed to ensure compliance with the Security Rule; and
  • from April 20, 2005, until the date of the resolution agreement, the County failed to provide security awareness and training to workforce members, including its Information Security staff members, as necessary to and appropriate for workforce members to carry out their functions within the County.

As part of the settlement, the three-year corrective action plan focuses on substitute notice regarding the incident; a review of the County’s accounting of disclosures procedure, including regarding the incident; the County’s hybrid entity and business associate documentation; the County’s security management process; creation and revision of policies and procedures for the County’s covered healthcare components; training of the County’s workforce members involved with the County’s covered healthcare components who have access to ePHI regarding compliance with the Privacy, Security, and Breach Notification Rules; and investigating and reporting to HHS OCR regarding any failures in compliance by a workforce member of a covered healthcare component. For the three-year period, the County also shall submit to HHS annual reports with respect to the County’s compliance with the CAP, which shall include a summary of the security management measures taken during the reporting period, a summary of reportable events identified during the reporting period and the status of any corrective and preventive action, and an attestation signed by an officer of the County attesting review, reasonable inquiry and accurateness of the report.

The OCR’s action against Skagit County indicates that all organizations acting as covered entities—including agencies like local and county governments which may be hybrid entities—must comply with HIPAA and safeguard patient information with, among other things, policies and procedures and adequate workforce training. As commented by Susan McAndrew, deputy director of health information privacy at HHS OCR, “[A]gencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.”

A copy of HHS OCR’s press release regarding the Skagit County resolution agreement can be found here.

This resolution is at least the second time that OCR has fined a governmental entity. County hospital districts, state academic medical centers and other governmental covered entities should review their HIPAA compliance and ensure the implementation of appropriate administrative, physical and technical safeguards. OCR has made it clear that governmental entities are subject to HIPAA, and OCR will not hesitate to investigate and fine covered entities that are out of compliance.