Skagit County Hit with $215K Fine for Government HIPAA Violation
The Department of Health and Human Services’ Office for Civil Rights has issued its first fine for a government HIPAA compliance violation, stipulating that Skagit County, Washington, must pay a $215,000 for HIPAA violations that resulted in the exposure of the Protected Health Information (PHI) of just seven individuals.
However, upon investigation the OCR discovered that Skagit County had committed numerous violations of the HIPAA Security Rule, which potentially could have resulted in the PHI of 1,581 individuals being accessed by unauthorized third parties.
The incident occurred when some PHI was migrated to a server in error. That server did not have the level of protection required by the Security Rule; in fact the data was freely accessible over the internet. Furthermore, that data contained highly detailed information on those individuals, including details of medical tests, results and the management of infectious diseases together with personal identifiers.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) places a requirement on all covered entities (CEs) to implement safeguards to protect healthcare data. In response to the HIPAA breach, the OCR conducted an investigation and discovered numerous violations of the Breach Notification Rule, Security Rule and Privacy Rule.
The fine for a government HIPAA violation may appear to be high for the number of victims created by Skagit County’s lax security standards, but in cases such as this, it is the volume of violations and the time that they have been able to persist that influences the settlement amount, along with the nature of the data that was potentially disclosed.
The action taken by the OCR is significant in this case because it is the first financial settlement to be reached for a government HIPAA violation. Private healthcare providers as well as government departments must comply with HIPAA regulations, and when they do not, the OCR will hold them financially accountable.
This year the OCR has increased the number of fines it has issued, although in many cases, non-compliance has been dealt with by the issuing of an action plan. Achieving HIPAA-compliance – and maintaining strict privacy and security standards – is a difficult task. When CEs implement measures to safeguard data and apply HIPAA policies and procedures only to still suffer a data breach, oftentimes all that the OCR needs to do is provide an action plan that the organization can follow to address data security problem areas and become fully HIPAA-compliant. Financial penalties for HIPAA violations are not always deemed to be necessary.
However, in some cases healthcare providers pay too little attention to privacy and security matters. In the case of Skagit County, a financial penalty was deemed to be appropriate in addition to an action plan due to the quantity and severity of the violations.
The recent HIPAA fines that have been issued by the OCR show that serial violators of Privacy and Security Rules will be punished. The days of no enforcement and lax security standards appear to be over. It is now time to comply or pay the price.