Last week, the Department of Health and Human Services (“DHHS”) announced in a press release its first HIPAA enforcement action against a county government and imposed a civil money penalty of $215,000. Given these current economic times, which seem to be producing fewer tax dollars for government run programs, I would urge all readers, in both private and public sectors, to take notice of this enforcement action because of the lessons that it has to teach. The first lesson is that being a governmental entity is no barrier to a DHHS HIPAA enforcement action. Note the earlier $1.7 million settlement by Alaska Medicaid and now this one against a county government.
The DHHS Office for Civil Rights (“OCR”) opened an investigation of Skagit County, Washington (which serves a total county population of less than 120,000), when the county reported a breach involving only seven people. OCR’s investigation revealed a broader exposure of information, which included the electronic protected health information (“EPHI”) of 1,581 people. OCR’s investigation also uncovered general and widespread noncompliance with HIPAA’s Privacy, Security, and Breach Notification Rules.
As is customary when a fine is imposed or a settlement is reached in lieu thereof, Skagit County is now required under the resolution agreement to cooperate with OCR and implement a six-year robust corrective action plan (“CAP”). As part of the CAP, Skagit must submit for DHHS review and approval Skagit’s hybrid entity documents designating its covered health care components, including Skagit’s policies and procedures to ensure compliance with 45 C.F.R. § 164.105, along with a sample of Skagit’s business associate agreement. In addition, Skagit is required to create and revise written policies and procedures to comply with HIPAA’s Privacy, Security, and Breach Notification Rules. Skagit must also train all workforce members of Skagit’s covered health care components, and finally, Skagit must provide annual reports to OCR reflecting compliance with the CAP for the next six years. OCR will review each submission by Skagit, and Skagit must make any corrections suggested by OCR in timely fashion.
Too bad Skagit did not have these things in place before reporting the breach, because, if it had, the enforcement action likely would not have involved a big fine and a six-year CAP. The requirements of the CAP make a good checklist for HIPAA compliance. In other words, if Skagit had had these corrective action items in place before the incident, no need would have existed for a six-year CAP.
Since the onset of HIPAA and its implications for state and county governments, my law partner, Jon Tomes, and I have successfully worked with scores of these complex organizations. I credit Jon for developing a very valuable tool, the “Mini GAP Analysis Survey,” which has been used relentlessly by our consulting group, EMR Legal, Inc., of which I am a co-founder and vice president. Over the years, our Mini GAP has proved quite helpful in getting the public sector HIPAA compliant correctly and cost effectively because it quickly and accurately identifies the hybrid entity components of the governmental entity. The Mini GAP and other compliance resources are available through our publishing house, Veterans Press, Inc. Readers who would like for us to conduct an audit of their organization or who need any other compliance help may wish to contact our marketing director, Patrick R. Head II toll-free at 855-385-9367 or at Patrick@veteranspress.com.