By eagleconsultingpartners | Published: April 4, 2014
Skagit County, located in Northwest Washington, has agreed to settle potential violations of the HIPAA Privacy, Security and Breach Notification Rules. The County was fined $215,000 and must work closely with the Department of Health and Human Services (HHS) to correct deficiencies in its HIPAA compliance program.
“This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size,” said Susan McAndrew, deputy director of health information privacy at the HHS Office for Civil Rights (OCR). “These agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.”
The Skagit County Public Health Department provides vital services to promote health and prevent communicable disease to many individuals who would otherwise not be able to afford health care.
An investigation was opened by the OCR after they received a breach report that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County. The investigation led OCR to discover a broader exposure of ePHI than original reported, exposing the ePHI of 1,581 individuals. The information that was accessible included sensitive information concerning the testing and treatment of infectious diseases. The investigation also uncovered “general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules.” View the full resolution agreement here.
Eagle Consulting Partners recommends counties first assess which functions within the county are regulated under HIPAA. Most county government functions, for example, the safety forces and road maintenance, have no HIPAA obligations. Other departments, including health departments, social service departments, jails, and departments that process or use PHI such as the county prosecutor (who may serve as legal counsel for other departments) and fiscal services departments (who may pay bills that include protected health information) do have an obligation to comply with HIPAA regulations.
County government will be organized differently from state to state. For example, in Ohio typical county departments that have HIPAA obligations include Health Departments, the County Board of Developmental Disabilities, the county Board of Mental Health, the county board of Alcohol and Drug Addiction Services, the Department of Job and Family Services, the County Prosecutor and the County Auditor.
HIPAA provides flexibility in compliance approaches. One approach would be for each agency to develop its own compliance program. Another approach would be for the county to designate itself as a HIPAA “hybrid entity” and designate itself a single “covered entity” with multiple “health care components.” Agencies may benefit from professional help to conduct such an assessment.
Once the compliance strategy is selected, an overall compliance program should be implemented including the following elements:
- Conduct an inventory of protected health information, including both paper and electronic forms.
- Ensure written policies and procedures are in place and have been updated to reflect changes made by the Omnibus Rule (effective January 25, 2013)
- Train employees on HIPAA Privacy and Security compliance
- Implement a process to collect and record required HIPAA compliance documentation
- Conduct a computer security risk analysis to identify vulnerabilities and implement a corrective action plan to address deficiencies
- Conduct a Business Associate analysis, to identify who is and who is not required to comply with the applicable standards, implementation specifications, and requirements of the HIPAA Privacy and Security Rule and ensure language is present in Business Associate contracts to ensure compliance
This may be a daunting task, so once again, professional help may be beneficial. Eagle has extensive experience in Ohio counties and can provide assistance in Ohio and across the country.
