Skagit County, Washington, has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Skagit County agreed to a $215,000 settlement, also agreeing to correct deficiencies in its HIPAA compliance program.
“This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size,” said Susan McAndrew, deputy director of health information privacy at the HHS Office for Civil Rights (OCR). “These agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.” (emphasis added)
The investigation was prompted by a Breach of Electronic Protected Health Information (ePHI) of only seven individuals, resulting from their ePHI being moved to a publicly accessible server. OCR’s investigation further uncovered general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules.
This settlement demonstrates the Federal Government’s aggressive enforcement of HIPAA and the assessment of penalties, and illustrates that all Covered Entities, even local governments, need to remain vigilant with respect to the use and disclosure of PHI. The settlement also provides a warning to Covered Entities, that seemingly minor Breaches of PHI can result in significant monetary fines and sanctions.
All healthcare providers should regularly update their HIPAA plans and monitor compliance by their clinicians, workforce, and business associates. It is also prudent for providers to review the security of their IT infrastructure with their IT providers. A well-draft business associate agreement that includes provisions assuring compliance by business associates and sub-contractors is also a crucial element of a comprehensive compliance program.
For additional information on HIPAA compliance, contact Frier Levitt today.
