OCR Announces First HIPAA Settlement with County Government
On March 7, 2014, the Department of Health and Human Services, Office for Civil Rights (OCR) announced that it reached a settlement with Skagit County, Washington over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Skagit County agreed to pay $215,000 and enter into a corrective action plan with OCR after an investigation by OCR revealed that Skagit County disclosed the electronic protected health information of 1,581 individuals, failed to provide notification as required by the Breach Notification Rule, and was generally non-compliant with HIPAA requirements related to implementation of policies and procedures and staff training. Skagit County, with a population of 118,000, provides services to many individuals who could not otherwise afford health care.
In the press release regarding the settlement, Susan McAndrew, Deputy Director of Health Information Privacy at OCR stated, “This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size. These agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.”
This settlement serves as a reminder that no covered entity is too small to avoid scrutiny from OCR. Local and county governments, small rural hospitals, and covered entities of all sizes must ensure that policies and procedures are in place to safeguard patients’ protected health information and comply with HIPAA requirements.