First, the cost is much higher than the settlement amount. While this number may seem high or low to you, depending on your size, it is important to know that audits themselves can cost a lot more than any settlement amount. In addition, audits can end with the agreement to be subject to future auditing for many years. These costs can quickly add up for organizations that find themselves under the spotlight. Finally, the impact to the brand image for your organization should not go unnoticed.
Second, unauthorized access is enough to be a HIPAA violation. The HIPAA standards to not require that data be used by nefarious people or that the affected individual(s) have to be harmed for a HIPAA violation. Mere access to protected health information in a way not allowed by these rules can lead to violations.
Third, violations can be a very public situation. Violations under HIPAA, as shown with this resolution agreement, may require your entity to disclose to individuals, the media, and even provide a posting on your home web page about the violation. See 45 C.F.R. §164.404(d)(2)(ii)(B). These can all be a part of the new stricter reporting obligations for breach situations. In addition, as required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
Read the resolution agreement
The investigation started in 2012, about six months after being notified of the a potential breach of electronic protected health information (ePHI) on a public web server. The initial review found that:
- From approximately September 14, 2011 until September 28, 2011, Skagit County disclosed the ePHI of 1,581 individuals in violation of the Privacy Rule (See 45 C.F.R. §§160.103 and 164.502 (a)) by providing access to electronic protected health information (ePHI) on its public web server;
- From November 28, 2011 until present, Skagit County failed to provide notification as required by the Breach Notification Rule (See 45 C.F.R. § 164.404) to all of the individuals for whom it knew or should have known that the privacy or security of the individual’s ePHI had been compromised as a result of the breach incident described in the paragraph above;
- From April 20, 2005 until present, Skagit County failed to implement sufficient policies and procedures to prevent, detect, contain, and correct security violations (See 45 C.F.R. § 164.308(a)(1)(i));
- From April 20, 2005 until June 1, 2012, Skagit County failed to implement and maintain in written or electronic form policies and procedures reasonably designed to ensure compliance with the Security Rule (See 45 C.F.R. § 164.316(a) and (b)); and
- From April 20, 2005 until present, Skagit County failed to provide security awareness and training to all workforce members, including its Information Security staff members, as necessary and appropriate for the workforce members to carry out their functions within Skagit County (See 45 C.F.R. § 164.308(a)(5)).
- From April 20, 2005 until present, Skagit County failed to provide security awareness and training to all workforce members, including its Information Security staff members, as necessary and appropriate for the workforce members to carry out their functions within Skagit County (See 45 C.F.R. § 164.308(a)(5)).
If you have questions on HIPAA Privacy, Security or HITECH obligations, please contact Kinney & Larson.