In one of the HIPAA cases most relevant to the I/DD-Residential sector, a county agency delivering health services to low-income people settled a potential breach by paying out $215,000 to the Feds. The agency serves a rural population of about 120,000 in Skagit County, Washington — where nearly 18 percent of the people live below the federal poverty line according to the most recent labor statistics.
As commonly happens, the Feds opened an investigation after receiving a complaint that appeared to result from the unintentional exposure of Private Health Information (PHI) involving only seven individuals. Looking further, the Feds discovered the absence of a HIPAA compliance program within the county agency in question.
The case is significant for the message it sends. And you don’t even have to read between lines, because the Feds say it explicitly:
You can be small and serving a vulnerable population, but you still need what the Feds call “a meaningful compliance program to ensure the privacy and security of patients’ information.”
The Skagit County settlement dates back to 2014, when the Feds were just beginning a proactive approach to HIPAA enforcement as mandated by Congressional legislation in 2013. Since then, the message of that case has been clearly validated.
In a review of nearly 400 potential privacy violations currently under investigation, you will see that small community providers, including those in the I/DD sector, are under investigation for occurrences often resulting from careless lapses with no ill intent.
In Skagit County, private health information held by one agency was inadvertently moved to a publicly accessible server. After that? Responding to a complaint, the Feds nosed around and found what they described as “general and widespread non-compliance with the HIPAA Privacy, Security, and Breach Notification Rules.”
In addition to the monetary settlement, a three-year corrective action period ensued for the Skagit County agency.
About the author: Diane Evans, Publisher of MyHIPAA Guide, leads a team of HIPAA trainers and consultants who boil privacy practices down to good business and human-centered processes. OPRA’s HR Committee helped guide the creation templates and training materials specially for the residential services sector, and available at hipaa.opra.org. Ms. Evans can be reach at firstname.lastname@example.org