Co-Authored by Charles K. Shih.

To start 2014, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued its first resolution agreement of the year and its first settlement with a county government – signaling that even local and county governments, regardless of size, must safeguard the privacy and security of patient information in compliance with HIPAA.

Skagit County, Washington, located in Northwest Washington with approximately 118,000 residents, agreed to settle potential violations of the HIPAA Privacy, Security, and Breach Notification Rules with a $215,000 monetary payment and a three-year corrective action plan (CAP).  The Skagit County Public Health Department provides essential services to residents who are unable to afford health care.  The resolution agreement stems from the County’s December 9, 2011 notification to HHS OCR that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County.

On May 25, 2012, OCR notified the County of its investigation.  OCR’s investigation indicated that:

  • from approximately September 14, 2011 until September 28, 2011, the County disclosed the ePHI of approximately 1,581 individuals (not just seven individuals as initially reported); the accessible files involved sensitive information, including protected health information concerning the testing and treatment of infectious diseases;
  • from November 28, 2011 to the date of the resolution agreement, the County failed to provide notification as required under the Breach Notification Rule; from April 20, 2005 to the date of the resolution agreement, the County failed to implement sufficient policies and procedures to prevent, detect, contain, and correct security violations;
  • from April 20, 2005 until June 1, 2012, the County failed to implement and maintain in written or electronic form policies and procedures reasonably designed to ensure compliance with the Security Rule; and
  • from April 20, 2005 until the date of the resolution agreement, the County failed to provide security awareness and training to workforce members, including its Information Security staff members, as necessary to and appropriate for workforce members to carry out their functions within the County.

As part of the settlement, the three-year corrective action plan focuses on substitute notice regarding the incident; a review of the County’s accounting of disclosures procedure, including regarding the incident; the County’s hybrid entity and business associate documentation; the County’s security management process; creation and revision of policies and procedures for the County’s covered health care components; training of the County’s workforce members, involved with the County’s covered health care components, who have access to ePHI regarding compliance with the Privacy, Security, and Breach Notification Rules; and investigating and reporting to HHS OCR regarding any failures in compliance by a workforce member of a covered health care component.  For the three-year period, the County shall also submit to HHS annual reports with respect to the County’s compliance with the CAP, which shall include a summary of the security management measures taken during the reporting period, a summary of reportable events identified during the reporting period and the status of any corrective and preventative action, and an attestation signed by an officer of the County attesting review, reasonable inquiry, and accurateness of the report.

The OCR’s action against Skagit County indicates that all organizations acting as a covered entity – including agencies like local and county governments which may be hybrid entities – must comply with HIPAA and safeguard patient information with, among other things policies and procedures and adequate workforce training.  As comment by Susan McAndrew, deputy director of health information privacy at HHS OCR, “[A]gencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.

A copy of HHS OCR’s press release regarding the Skagit County resolution agreement can be found here.