On March 7, 2014, Skagit County, Washington agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Breach Notification Rules. HHS’s investigation indicated that the following conduct occurred:
- From approximately September 14, 2011 until September 28, 2011, Skagit County disclosed the electronic protected health information (ePHI) of 1,581 individuals in violation of the Privacy Rule by providing access to ePHI on its public web server;
- From November 28, 2011 until present, Skagit County failed to provide notification as required by the Breach Notification Rule to all of the individuals for whom it knew or should have known that the privacy or security of the individual’s ePHI had been compromised as a result of the breach incident;
- From April 20, 2005 until present, Skagit County failed to implement sufficient policies and procedures to prevent, detect, contain and correct security violations;
- From April 20, 2005 until June 1, 2012, Skagit County failed to implement and maintain in written or electronic form policies and procedures reasonably designed to ensure compliance with the Security Rule; and
- From April 20, 2005 until present, Skagit County failed to provide security awareness and training to all workforce members, including its Information Security staff members, as necessary and appropriate for the workforce members to carry out their functions within Skagit County.
Skagit County agreed to a $215,000 settlement and to work closely with the HHS to correct the above deficiencies. This case marks the first settlement with a county government and sends a strong message to all covered entities, regardless of size, on the importance of complying with the Privacy, Security and Breach Notification Rules. All covered entities should take note of this settlement and review their policies and procedures to ensure that they are in compliance with the Privacy, Security and Breach Notification Rules. For more information on the settlement, visit http://www.hhs.gov/news/press/2014pres/03/20140307a.html.
If you have any questions or concerns about your organization’s compliance with the HIPAA Privacy, Security and Breach Notification Rules, please feel free to contact Eric Wright at 412-697-5328 or at email@example.com.
© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.
This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.