FOR IMMEDIATE RELEASE
Contact: HHS Press Office
County Government Settles Potential HIPAA Violations
Skagit County, Washington, has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. Skagit County agreed to a $215,000 monetary settlement and to work closely with the Department of Health and Human Services (HHS) to correct deficiencies in its HIPAA compliance program. Skagit County is located in Northwest Washington, and is home to approximately 118,000 residents. The Skagit County Public Health Department provides essential services to many individuals who would otherwise not be able to afford health care.
“This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size,” said Susan McAndrew, deputy director of health information privacy at the HHS Office for Civil Rights (OCR). “These agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.”
OCR opened an investigation of Skagit County upon receiving a breach report that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County. OCR’s investigation revealed a broader exposure of protected health information involved in the incident, which included the ePHI of 1,581 individuals. Many of the accessible files involved sensitive information, including protected health information concerning the testing and treatment of infectious diseases. OCR’s investigation further uncovered general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules.
Skagit County continues to cooperate with OCR through a corrective action plan to ensure it has in place written policies and procedures, documentation requirements, training, and other measures to comply with the HIPAA Rules. This corrective action plan also requires Skagit County to provide regular status reports to OCR.
To learn more about non-discrimination and health information privacy laws, your civil rights and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/ocr/office/index.html.
The Resolution Agreement can be found on the OCR website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/skagit-agreement.html.
The scenario: In 2005, Oracle E-business Suite was chosen as a “Commercial-Off-The-Shelf” along with Click Commerce to replace the US Air Force legacy business system software. Next, a “Systems Integrator”, Computer Sciences Corporation, was chosen to implement it.
In 2009, the Air Force modified its Oracle contract to eliminate Click Commerce in favor of an “Oracle-only” solution. This shift caused egregious delays which in turn invited the Office of the Secretary of Defense to conduct a technical risk assessment. The assement foundthe design prerequisites were insufficient.
In March 2013, Air Force HQ looked into root causes of the ECSS failure. It took approximately 75 days to review over 588,000 pieces of data which covered approximately 10 years and with an initial pool of more than 1,000 personal interviews.
Six root causes were identified:
1) Understanding your data: Data was being addressed “as they wanted to address it” with assumptions of about data they “already have” by doing Legacy system deconstruction at the same time as blueprinting to build a new solution -instead of understanding ALL of the data.
2) Understanding “AS-IS” and “TO-BE” architectures: The ECSS lacked a detailed knowledge of the “As-Is” which resulted in an incomplete assessment of the “To-Be” thus trying to replace alot of unknown.
3) A transition plan: Without detailed knowledge of your legacy system, planning a transition from the unknown is impossible.
4) The right execution plan: Additional interfaces were needed with the commercial off the shelf solution but no single vision on how to “bolt-on” had been achieved. All subject matter experts had different processes and no aligned single vision to provide the Systems Integrator.
5) The right development environment: The development was not congruent with the expected work environment.
6) The right culture: New code design showed a lack of acceptance and understanding of the new vision.
Read more of the Air Force final executive summary.
The Arizona Public Safety Personnel Retirement System is a $7.2B police, firefighter, correctional and elected officials' investment pension fund which has recently seen retaliations against dissent from within. Mr James Hacking is the administrator of the pension fund. He witnessed several resignations from investment staffers in 2013 after allegations were made by the chief investment officer Mark Steed's memo regarding a May 20th investment team meeting:
Team members are supposed to be free to disagree and challenge each other in the best interests of the pension fund, Mr. Steed's memo said.
“However, the attendee asserted that the culture is not Socratic and in fact team members are punished for disagreeing with management,” the memo said.
The memo detailed Chief Investment Officer Ryan Parham and Deputy CIO Marty Anderson as having leveled punishment upon a portfolio manager for asking questions about one of the fund's external real estate managers.
Recent court documents have revealed portfolio manager Anton Orlich departed June 7th and prior to that departure downloaded approximately 52,000 names, social security numbers, and addresses of other members. He has since turned the records over to Maricopa County Superior Court. Orlich's attorney Lynn Adams claims trust managers knew about this breach since October and that she finds its recent reporting suspicious timing.
The trust is now offering the 52,000 members a year of LifeLock identity theft protection.