For the first time, the Office of Civil Rights (OCR) has levied a fine against a government entity for a possible HIPAA breach.
Skagit County, WA, a small county (118,000) in the northwest part of the state, was fined $215,000 for its failure to protect patient information controlled by the county Health Department. Even after a data breach in 2011 that the county reported to OCR, the county failed to implement adequate policies and procedures to prevent future breaches.
In its report about this incident, FierceHealthIT also cited the compromise of information for 169,000 clients served by the Los Angeles County Department of Health Services. A third party billing vendor, Sutherland Healthcare Solutions, was the victim of theft of unencrypted computers containing the not-so-protected PHI of these clients.
If you think that being small or a government entity or a not-for-profit might protect you from being penalized for the exposure of the data of your clients, best that you think again. We are all responsible for assuring that PHI is protected, whether the people involved are our own clients, or in the case of SOS, the clients of our customers who are Covered Entities. This is not an area in which you should skimp on effort made to protect information.
Please share with us and your colleagues some of the steps you have taken to assure the protection of the PHI of your clients. Do you feel that your written policies and implemented procedures are known and understood by your employees? Do they take these procedures seriously? What do you do when you learn that they are not practicing what they have been taught? When was the last time you had training on HIPAA issues? You do have training, right?
Please comment below.