OUR THOUGHTS ON:

Skagit County, Washington Settles With The Department of Health And Human Services For Potential HIPAA Violations

Risk Advisory/Internal Audit

By Troy Fine

PRIMARY CONTACT: Eric Wright CPA, CITP (Pittsburgh)

On March 7, 2014, Skagit County, Washington agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Breach Notification Rules.  HHS’s investigation indicated that the following conduct occurred:

  1. From approximately September 14, 2011 until September 28, 2011, Skagit County disclosed the electronic protected health information (ePHI) of 1,581 individuals in violation of the Privacy Rule by providing access to ePHI on its public web server;
  2. From November 28, 2011 until present, Skagit County failed to provide notification as required by the Breach Notification Rule to all of the individuals for whom it knew or should have known that the privacy or security of the individual’s ePHI had been compromised as a result of the breach incident;
  3. From April 20, 2005 until present, Skagit County failed to implement sufficient policies and procedures to prevent, detect, contain and correct security violations;
  4. From April 20, 2005 until June 1, 2012, Skagit County failed to implement and maintain in written or electronic form policies and procedures reasonably designed to ensure compliance with the Security Rule; and
  5. From April 20, 2005 until present, Skagit County failed to provide security awareness and training to all workforce members, including its Information Security staff members, as necessary and appropriate for the workforce members to carry out their functions within Skagit County.

Skagit County agreed to a $215,000 settlement and to work closely with the HHS to correct the above deficiencies.  This case marks the first settlement with a county government and sends a strong message to all covered entities, regardless of size, on the importance of complying with the Privacy, Security and Breach Notification Rules.  All covered entities should take note of this settlement and review their policies and procedures to ensure that they are in compliance with the Privacy, Security and Breach Notification Rules.  For more information on the settlement, visit http://www.hhs.gov/news/press/2014pres/03/20140307a.html.

If you have any questions or concerns about your organization’s compliance with the HIPAA Privacy, Security and Breach Notification Rules, please feel free to contact Eric Wright at 412-697-5328 or at ewright@schneiderdowns.com.

© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2018 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

comments