Financial Penalty in Small Breach CaseCounty Health Department Agrees to Settlement
An investigation by the Department of Health and Human Services into a relatively small breach at a county health department in Washington state has resulted in a $215,000 monetary settlement.
Skagit County, located in Northwest Washington and home to approximately 118,000 residents, has agreed to pay a $215,000 settlement and to work closely with the HHS Office for Civil Rights to correct deficiencies in its HIPAA compliance program, which were discovered during an OCR investigation into a December 2011 breach.
The Skagit County Public Health Department provides services to many individuals who would otherwise not be able to afford healthcare, according to an HHS statement about the settlement.
OCR says it opened its investigation upon receiving a breach report from Skagit County in December 2011 that noted money receipts with electronic protected health information of seven individuals were accessed by unknown parties after the information had been inadvertently moved to a publicly accessible server maintained by the county.
However, OCR's investigation into the matter revealed a broader exposure of data. The breach actually involved the ePHI of 1,581 individuals, not seven. "Many of the accessible files involved sensitive information, including protected health information concerning the testing and treatment of infectious diseases," HHS says.
OCR's investigation uncovered widespread non-compliance with the HIPAA privacy, security and breach notification rules, federal officials say.
"This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size," says Susan McAndrew, OCR deputy director of health information privacy. "These agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients' information."
In the wake of the breach, an area of focus for the county is training department of health workers to use only the minimum necessary personal information of patients, Ron Wesen, county board of commissioners chair, tells Information Security Media Group. He explains that the county's breach investigation determined that department workers had been mistakenly posting onto a public website patient receipts containing personal information.
While the settlement is the first with a county government, one of the largest OCR HIPAA settlements to date was in June 2012 with a unit of state government, the Alaska Department of Health and Social Services. That $1.7 million settlement was the result of an OCR investigation triggered by a stolen unencrypted USB storage drive potentially containing data about 500 Medicaid beneficiaries.
"This latest settlement indicates to me that OCR is investigating cases large and small, which is exactly what the industry needs to take HIPAA security compliance more seriously," says security expert Brian Evans, a principal at Tom Walsh Consulting.
Organizations need to take steps to ensure they don't underestimate the size of a breach, Evans stresses. "Nobody wants or expects OCR to show up and do a better job than you in investigating your organization's breach," he says.
"Small organizations like Skagit County should decide in advance whether they're going to use existing staff to build an incident response team or outsource it," Evans says. "If they're going to build it in-house, then they need to formally designate and train its team members on how to properly conduct incident investigations. Otherwise, cross your fingers and hope for the best."
As part of its settlement with OCR, Skagit County agreed to a corrective action plan to ensure it has in place written policies and procedures, training and other measures to comply with the HIPAA rules. The corrective action plan also requires the county to provide regular status reports to OCR.
The plan notes that among Skagit County's HIPAA deficiencies were failure to provide notification as required by the breach notification rule to all those impacted by the incident; failure to implement sufficient policies and procedures to prevent, detect, contain and correct security violations; failure to implement and maintain in written or electronic form policies and procedures reasonably designed to ensure compliance with the security rule; and failure to provide security training to all workforce members.
Among the steps the county has agreed to take are:
- Provide a new breach notification to HHS for review and approval, and then publish it in local media;
- Provide to HHS a description of Skagit County's procedures that ensure the breach incident involving patient PHI is included in any accounting of disclosures provided to any individual impacted by the incident;
- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI;
- Provide HIPAA training to members of the county's workforce who have access to ePHI.