On March 7, 2014, the U.S. Department of Health and Human Services (“HHS”) announced that it reached a settlement with a county in Washington state (the “County”) stemming from alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy, Security and Breach Notification Rules. The settlement comes after the County reported a breach of electronic protected health information (“ePHI”) to the HHS Office for Civil Rights (“OCR”) under the HIPAA Breach Notification Rule.
The breach report submitted to OCR indicated that the County had inadvertently placed money receipts with ePHI for seven individuals on a publicly accessible server maintained by the County. OCR’s investigation found that the breach was actually more broad, affecting the files of 1,581 individuals. The accessible files contained sensitive information concerning testing and treatment for infectious diseases. OCR’s investigation also revealed widespread non-compliance by the County with the HIPAA Privacy, Security and Breach Notification Rules.
Accordingly, HHS and the County entered into a Resolution Agreement under which the County agreed to pay $215,000 and implement corrective measures, which require the County to:
- Provide substitute breach notification to any affected individuals that were not previously notified;
- Obtain OCR review and approval of the County’s accounting of disclosures procedure;
- Submit to OCR hybrid entity documents designating the County’s covered health care components;
- Conduct a risk assessment as required by the HIPAA Security Rule;
- Create and revise, as necessary written policies and procedures for complying with the HIPAA Privacy, Security and Breach Notification Rules;
- Train all workforce members of the County’s covered health care components who have access to ePHI on the policies and procedures;
- Promptly investigate any instances of workforce members failing to comply with the policies and procedures, and report the findings of any such investigation to HHS; and
- Submit annual reports of compliance to the OCR on an annual basis for three years.
In the press release announcing this settlement, the OCR Deputy Director for Health Information Privacy, Susan McAndrew, noted that “[t]his settlement sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size.” Ms. McAndrew stressed that such agencies “need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.”
Practical Takeaways
In light of this development, covered entities of all types, and particularly local, county and state agencies, should take the necessary steps to ensure that they have comprehensive and effective HIPAA compliance programs, including:
- Identifying components of the agency that are subject to HIPAA and the workforce members within those components who have access to PHI;
- Implementing policies and procedures to implement the requirements of the HIPAA Privacy, Security and Breach Notification Rules for any covered health care components;
- Conducting comprehensive risk analyses to identify and evaluate security vulnerabilities for all PHI;
- Frequently reviewing and revising privacy and security policies to ensure that PHI is safeguarded;
- Provide and update privacy and security training for workforce members periodically; and
- Promptly investigating and appropriately sanctioning workforce members for violations of HIPAA policies and procedures.
More information on this enforcement action, including the Resolution Agreement and the HHS press release, is available here.
If you need additional information about HIPAA and HITECH, please contact Mark Swearingen at 317-977-1458 or mswearingen@hallrender.com or your regular Hall Render attorney.
Hall Render’s HIPAA Impact Series has provided in-depth analysis of HIPAA issues and developments since the passage of HITECH. View our HIPAA Impact Series and sign up to receive updates by visiting www.hallrender.com/HIPAA.
