OCR levies first HIPAA fine against local government

Inaction on the part of a Washington-based hospital following a notification of HIPAA non-compliance has led to the first fine of a local government by the U.S. Department of Health & Human Services Office for Civil Rights.

The fine--for $215,000--was levied against Skagit County for failing to act after a September 2011 self-reported breach compromised the electronic protected health information of close to 1,600 individuals served by the public health department. The breach lasted two weeks--from Sept. 14, 2011 to Sept. 28, 2011--and involved ePHI being made accessible on the county's public web server. HHS received notification from Skagit County about the breach on Dec. 9, 2011.

According to a resolution agreement, the county has not provided notification to all individuals who may have been impacted by the breach. What's more, OCR determined that since April 2005, Skagit County has not implemented "sufficient policies and procedures to prevent, detect, contain and correct security violations."

The agreement also outlined a corrective action plan that involves notifying both those impacted and local media; further, the county must post notification about the breach "conspicuously" on its home website for 90 days.

That latter step is one already being taken by Sutherland Healthcare Solutions--a third-party billing vendor--on behalf of the Los Angeles County Department of Health Services in California following a breach last month that led to information for nearly 169,000 people being compromised.

The notice, posted to the county's website, details the episode, which involved the theft of unencrypted computers on Feb. 5, from Sutherland's Southern California Office that contained patient Social Security numbers, demographic data, billing information, dates of birth and PHI. Sutherland is offering a year's worth of credit monitoring to anyone affected.

"We take this incident very seriously and are taking the necessary precautions to protect all patient related information from theft or criminal activity," the notice reads. "We and Los Angeles County will be notifying the U.S. Department of Health & Human Services, Office for Civil Rights. In addition, we are reviewing our policies and procedures and have provided additional training to our workforce."

The county also is working with Sutherland to determine whether "enhancements" need to be made to the company's information privacy and security program.

To learn more:
- here's the HHS OCR resolution agreement (.pdf)
- read the Sutherland notice

Suggested Articles

Nearly 10,000 patients involved in research studies were impacted by a third-party privacy breach that may have exposed their medical diagnoses.

Veterans Health Administration medical facilities currently have a paper medical record backlog that if stacked up would be 5.15 miles high, according to the…

The Department of Health and Human Services announced proposed changes to privacy restrictions on patients' substance use treatment records.