Last week’s Resolution Agreement between the US Department of Health and Human Services, Office for Civil Rights (“HHS”) and a small county in Washington State marks the first time HHS has settled an action against a county government for noncompliance with the Privacy and Security Rules under HIPAA (the “HIPAA Rules”). The Resolution Order with Skagit County, Washington requires the county to pay $215,000 and institute a detailed Corrective Action Plan.
HHS’s action results from an incident in 2011 where the ePHI of 1,581 individuals was disclosed over a two-week period on a public web server maintained by the county. According to the HSS Press Release, the original breach report stated that the ePHI of only seven individuals was at issue, but HHS’s investigation revealed a far broader disclosure and also found that many of the accessible files contained sensitive information pertaining to testing and treatment of infectious diseases. HHS also found that the county failed to provide appropriate notifications after the breach. The investigation further revealed a period of noncompliance with the HIPAA Rules going back to 2005, including failures to implement and maintain Policies and Procedures and to train workforce members appropriately. The Resolution Agreement demonstrates HHS’s commitment to enforcement when it discovers a party has committed the twin sins of long-term noncompliance and inappropriate action after a breach. (Curiously, HHS has yet to include this breach on its list of breaches of unsecured protected health information affecting 500 or more individuals).
The Resolution Agreement with Skagit County serves as a useful reminder that HHS will take action against parties of any size, whether public or private, and is especially inclined to do so when a party shows a history of noncompliance and reacts inappropriately to a breach. Two simple things can help Covered Entities (of any size) avoid these situations: an up-to-date set of HIPAA Policies and Procedures and a well-trained workforce. Covered Entities should confirm that their Policies and Procedures are current (the Omnibus Rule changed the HIPAA landscape last year and requires updates to existing Policies and Procedures) and that members of their workforce with access to PHI have received specific training related to the Policies and Procedures.