October 5, 2022

Volume XII, Number 278

Advertisement

October 05, 2022

Subscribe to Latest Legal News and Analysis

October 04, 2022

Subscribe to Latest Legal News and Analysis

October 03, 2022

Subscribe to Latest Legal News and Analysis

Cities And Counties Are Not Immune From Health Insurance Portability and Accountability Act (HIPAA) Enforcement, Skagit County, Washington Pays $215,000

Skagit County, Washington, has agreed to settle potential violations of the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), according to an announcement by the Office for Civil Rights (OCR) on Friday.  OCR reported that Skagit County, home to approximately 118,000 residents, agreed to a $215,000 monetary settlement and to comply with a three-year HIPAA compliance program under OCR’s watchful eye.

OCR began investigating Skagit County and its Public Health Department when OCR received

a breach report that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County.

A relatively minor breach at first glance. However, OCR’s investigation revealed the incident was broader and included the ePHI of 1,581 individuals, in some cases involving files concerning the testing and treatment of infectious diseases. According to the resolution agreement, Skagit County allegedly failed to provide notification as required by the HIPAA Breach Notification Rule to all of the affected individuals for whom it knew or should have known that the privacy or security of the individuals’ ePHI had been compromised.

Like other OCR investigations, the enforcement activity uncovered “general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules.” For example, OCR looked back to April 20, 2005 (the effective date of the HIPAA Security Rule), and alleged that Skagit County had not complied with various aspects of the HIPAA security regulations, including maintaining written policies and training employees.

The Skagit County Public Health Department provides essential services to many individuals who would otherwise not be able to afford health care. A $215,000 payment to OCR certainly will be a hit to the Department’s budget and the services it provides. Cities, counties and other public sector entities that perform HIPAA covered functions should be reviewing their HIPAA compliance efforts to ensure they are in a strong defensible position. Some basic compliance steps – risk assessment, written policies and procedures, training, a breach response plan, documentation, and others – can go a long way.

Jackson Lewis P.C. © 2022National Law Review, Volume IV, Number 69
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Principal

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm's Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and...

973- 538-6890
Advertisement
Advertisement
Advertisement