In an email hededcq "County Government Settles Potential HIPAA Violations, Health and Human Services brags about fining a small northwest Washington state county $215,000 for violating HIPAA's privacy law.
The email was excerpted from a press release posted to the HHS web site at http://www.hhs.gov/news/press/2014pres/03/20140307a.html.
Skagit County, Washington, has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. Skagit County agreed to a $215,000 monetary settlement and to work closely with the Department of Health and Human Services (HHS) to correct deficiencies in its HIPAA compliance program. Skagit County is located in Northwest Washington, and is home to approximately 118,000 residents. The Skagit County Public Health Department provides essential services to many individuals who would otherwise not be able to afford health care. Emphasis mine
Note: The following paragraph was omitted from the emailed HHS release but appears on the HHS web site.
“This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size,” said Susan McAndrew, deputy director of health information privacy at the HHS Office for Civil Rights (OCR). “These agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.”
OCR opened an investigation of Skagit County upon receiving a breach report that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County. OCR's investigation revealed a broader exposure of protected health information involved in the incident, which included the ePHI of 1,581 individuals. Many of the accessible files involved sensitive information, including protected health information concerning the testing and treatment of infectious diseases. OCR's investigation further uncovered general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules.
Skagit County continues to cooperate with OCR through a corrective action plan to ensure it has in place written policies and procedures, documentation requirements, training, and other measures to comply with the HIPAA Rules. This corrective action plan also requires Skagit County to provide regular status reports to OCR.
- (a) A rural county with only "approximately 118,000 residents" (Release paragraph 1) How many of those residents are children? How many non-working spouses? How many under or unemployed? How many on welfare or other public assistance? How many in prison? (The county's demographics for 2012 are available at http://quickfacts.census.gov/qfd/states/53/53057.html.)
(b) "The Skagit County Public Health Department provides essential services to many individuals who would otherwise not be able to afford health care." (Release paragraph 1). The median household income in the county waas $56,475 (roughtly $3,00 less than the state median income)) and there were, during the same 2008-2012 period, 12.6% population below the poverty level. (Source: County demographics, ibid.)
HHS now adds another $215,000 burden on the taxpayers as a penalty for lacking proper data security. Add to the penalty the costs of upgading the county's data security practices to comply with HIPAA. The HHS fails to even estimate that cost.
While protecting patient records is proper and investigating security breaches is well within HHA's purview, my question to HHS is: How does fining Skagit County $215,000 improve the county's data security?
Had HHS come in and shown the county (1) that there was a breach of security and (2) had HHS experts tell the county how to close those security gaps, then HHS would have done its job to the benefit of all concerned. If it charged the county a fee for services rendered, that, too, would have been in order.
However, HHS makes no claim that it did either. The PR release does state that Skagit County continues to cooperate with OCR through a corrective action plan to ensure it has in place written policies and procedures, documentation requirements, training, and other measures to comply with the HIPAA Rules. This corrective action plan also requires Skagit County to provide regular status reports to OCR.
I'm confident that the county has insurance to cover at least part of the HHS penalty, but because insurance companies are in business to make money, I'm eqqually confident that the county will have increased insurance premiums for the next several years.
- Skagit County must pay the U.S. government $215,000 from a limited budget to satisfy an HHS penalty and then
- Skagit County must pay to determine how to improve data security to HHS' Office of Civil Rights basic requirements and pay to implement those changes.
HHS penalties would seem to be a revenue generator for the federal agency.
In the end, the Skagit County taxpayer is stuck - twice.