The Butler County commissioners approved a two-day, unpaid suspension for an employee who inadvertently sent out an email with wellness information regarding the county’s health insurance, which might have violated HIPAA laws.
Shawna Smith, the county’s wellness coordinator, sent out an email in September with a spreadsheet that included hidden columns with some employee information.
The resolution authorizing the suspension said Smith was charged with “neglect of duty, failure of good behavior, incompetence and/or misfeasance in regard to the circulation of a spreadsheet to all employees on the County Health Insurance, which contained protected health information.”
County Administrator Judi Boyko said there was no “malicious” intent on Smith’s part, but there had to be repercussions.
RELATED: 1,350 Butler County employees affected by HIPAA breach
“It was just an error, but nonetheless information was distributed that should not have been, to parties that should not have received it,” Boyko said. “Nothing malicious or anything like that happened, but there need to be controls in place and systems in place that this information is not inadvertently nor maliciously distributed. The commissioners’ position was they needed to take some action.”
The breach was reported to the Department of Health and Human Services, and Commissioner Don Dixon said there were no sanctions from that investigation.
“It was just a policy she should have followed and didn’t,” Dixon said. “And even though it didn’t cause any repercussions it still had to be addressed.”
Boyko said the human resources department is working to make sure it has the systems in place to ensure this doesn’t happen again.
The spreadsheet, according to Human Resources Director Laurie Murphy, included names, insurance identification numbers and information about the employees’ participation in the county Wellness Program. She noted the information isn’t sensitive — no passwords or Social Security numbers, for instance — but warned employees in a letter in December to be vigilant.
“Although the risk of harm to participants is low since the information was generally not sensitive in nature, participants whose PHI (protected health information) was improperly distributed should take steps to monitor the use of their health insurance to prevent fraudulent use by third parties,” Murphy wrote.
Smith has declined to comment.
About the Author