County Governments Deal with HIPAA Breaches Impacting Thousands

Two county governments are dealing with the consequences of HIPAA Security breaches affecting thousands of individuals.  Skagit County, Washington and Los Angeles County, California both recently experienced HIPAA Security breaches resulting in penalties, breach notification expenses and unwanted negative publicity.

In a recent press release, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced that Skagit County, Washington agreed to settle several potential HIPAA violations involving public access to electronic protected health information (ePHI). OCR opened an investigation after receiving a breach report in late 2011 indicating that the ePHI of several individuals was accessed after it had inadvertently been moved to a publically accessible server.  The investigation revealed broader exposure than had been initially believed and was ultimately determined to involve the ePHI of 1,581 individuals as well as further non-compliance with the HIPAA Privacy, Security, and Breach Notification Rules.  Skagit County agreed to a monetary settlement of $215,000 and a three-year corrective action plan in order to correct deficiencies in its HIPAA compliance.  In addition to the monetary settlement, the corrective action plan focuses on implementation of effective written policies and procedures, documentation and reporting measures, and staff training in compliance with the HIPAA Rules.

The theft of unencrypted computers from a third-party billing vendor of the Los Angeles County public health and health services departments resulted in a HIPAA breach affecting approximately 168,500 individuals.  The breach involved protected health information (PHI) including Social Security numbers, demographic data, billing information, dates of birth and medical diagnoses.  HIPAA breach notification letters are being sent to the affected individuals.  Sutherland Healthcare Solutions, the third-party billing vendor, has indicated that it is reviewing its current policies and procedures, as well as working with Los Angeles County to determine if additional changes need to be made to its information privacy and security program.

County governments and public health departments are not immune from the HIPAA Rules or the impact of a HIPAA breach.  The Skagit County case was the OCR’s first settlement with a county government, emphasizing the importance of effective HIPAA compliance for not only private entities but local and county governments as well.  Susan McAndrews, deputy director of health information privacy at HHS OCR stated that “[t]hese [government] agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.”

These security breaches should encourage providers to integrate security efforts like encryption for any devices that can leave the office: computers, laptops, tablets, smartphones.  It also again highlights the need for proactive review and revision of HIPAA policies and procedures and the need for ongoing training.

Speak Your Mind