Skagit County in northwest Washington state has been fined $215,000 for violations of the HIPAA privacy, security, and breach notification rules. The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a settlement agreement with the County on March 6. The settlement, which includes a corrective action plan for the County, is the first such action taken against a local government for HIPAA non-compliance.
From September 14 to September 28, 2011, the protected health information (“PHI”) of 1,581 individuals served by the County’s public health department was disclosed because it was accessible on the County’s public Web server. The County discovered the breach on September 28 and first notified OCR on November 16, 2011. But the County took no action to mitigate the breach or comply with HIPAA. According to the OCR, “From November 28, 2011 until present, Skagit County failed to provide notification as required by the Breach Notification Rule to all of the individuals for whom it knew or should have known that the privacy or security of the individual’s ePHI had been compromised as a result of the breach incident.”
The County failed to implement sufficient policies and procedures to prevent, detect, contain and correct security violations in violation of the Security Rule. It was not until June 1, 2012 that the County finally implemented policies and procedures to ensure compliance with the Security Rule, and at no time did the County provide security awareness and training to employees.
The agreed to corrective action plan includes notifying affected individuals and local media, as well as posting notification prominently on the County’s home page for 90 days. The County also will conduct “an accurate and thorough assessment of the potential risks and vulnerabilities” and train employees and implement sufficient security measures, according to the resolution agreement. Moreover, “Skagit County shall maintain for inspection and copying all documents and records relating to compliance with this [corrective action plan] for six years.”
This incident highlights the need for entities maintaining PHI to ensure that appropriate policies and procedures are in place to protect PHI and timely respond to breaches of such.