Counties Beware – Your Governmental Status Does Not Protect You from Liability for a HIPAA Breach

March 20, 2014 | By Lawrence J. Tabas

As a county government, you may think that you have the protection of sovereign immunity and protection from other governments penalizing you. Your status does not protect you. The Department of Health and Human Services (“HHS”) wants local governments to know that they are not immune from scrutiny for violations of the Health Insurance Portability and Accountability Act (“HIPAA”). HHS recently entered into a settlement agreement with Skagit County, a political subdivision of Washington state with a population of around 118,000 (the “County”), for the County’s alleged violations of HIPAA in connection with services it provides to those residents who otherwise could not afford and would not have access to health care. Under the settlement, the County must pay $215,000 and enter into a corrective action plan.

The alleged breach arose when the County mistakenly placed the electronic protected health information (“ePHI”) of 1,581 individuals on a publicly accessible server. Some of the compromised ePHI consisted of testing and treatment information for infectious diseases. During its investigation of the breach, HHS realized that the incident was just the tip of the iceberg in terms of the County’s compliance problems. HHS also discovered that the County had failed to provide the required notice of the breach, that it did not have adequate policies and procedures in place to address security violations, and that it failed to provide proper training to its workforce members with access to ePHI.

For its alleged violations, the County is required to pay to HHS a large monetary penalty and enter into a corrective action plan (the “Plan”). The Plan shows the ways in which the County’s HIPAA compliance was deficient and also functions as a blue print for other health care entities to follow when implementing a compliance plan so that they can be proactive about HIPAA compliance rather than reactive. The Plan requires the County to undertake the following measures:

Security Management Process: The County must “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of [ePHI]” held by the components of the County’s health care services. For health care entities, this should be step one in implementing a HIPAA compliance plan. By identifying vulnerabilities, a health care entity can minimize the risk of a potential breach by taking preventive measures, for example, by adding more technological safeguards.

Create and Update Policies and Procedures: Under the Plan, the County is required to create new policies and revise existing policies and procedures regarding security, breaches,  and breach notification. Adequate policies and procedures allow health care entities to address security concerns and respond to breaches effectively.

Training: The Plan requires the County to train all workforce members with access to ePHI in the newly created and revised policies and procedures and to certify that they have received such training. Health care entities should ensure that their employees are well-versed in HIPAA policies and procedures so that such employees can avoid risky behavior, like storing ePHI on mobile devices, and also alert the health care entity when they suspect a breach.

Review Business Associate Agreements:  The County is required to review and document its business associate agreements. Having business associate agreements with entities that have access to a health care entity’s ePHI is an essential element in HIPAA compliance. Well-drafted agreements will let a business associate know what uses of ePHI are acceptable and also make the business associate aware of its notification obligations.

In addition to these components, the Plan also requires the County to notify affected individuals of the breach via postings in the media and on the County’s website, to conduct an accounting of disclosures of ePHI, and to file reports with HHS. The Plan is to be carried out with HHS oversight and will last for three years from the date that HHS approves of the County’s newly created and revised policies and procedures.

According to an HHS press release, Susan McAndrew, deputy director of health information privacy at the HHS Office of Civil Rights, stated: “This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size.” Whether you are a local government in a community of 118,000 residents or a health care provider serving tens of thousands of patients, HHS has made clear with this settlement that no breach is too small to investigate and no entity immune from scrutiny. For other health care entities, the County’s Plan provides a guide to implementing HIPAA-compliant policies and procedures before a breach even occurs. Health care entities should consult with experienced counsel to ensure HIPAA compliance for their individual circumstances.

The Health Law Gurus™ will continue to follow HIPAA compliance issues and breach settlements.

We encourage you to share your experiences and thoughts about HIPAA compliance with us and our readers in the comments section below.

To access settlement agreement, click here.

To read the HHS press release, click here

Categorized In: Compliance Issues, HIPAA, Privacy

About the Authors

Lawrence J. Tabas


Lawrence is the Chair for Obermayer’s Health Care Law Department and Election Law Practice Group. Lawrence’s Health Care Law legal experience includes the representation of Pennsylvania County governments in Behavioral Health Managed...

Read More by Author