On March 7, 2014, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that Skagit County, Washington, has agreed to pay $215,000 and enter into a three year corrective action plan in order to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). In 2011, Skagit County reported to OCR the potential Breach of seven individuals’ Protected Health Information (“PHI”). Upon investigation, OCR found that Skagit County had actually made the PHI of over 1,500 individuals publicly available on-line for two weeks. OCR’s investigation also revealed Skagit County’s “general and widespread non-compliance…with the HIPAA Privacy, Security, and Breach Notification Rules.” This settlement is notable largely because it is the first between OCR and a county government related to alleged HIPAA violations.
Skagit County’s corrective action plan imposes substantial obligations. Skagit County must take additional steps regarding the 2011 alleged Breach, including issuing substitute notification to affected individuals and updating accountings of disclosures of PHI. Additionally, Skagit County must take steps to improve its HIPAA compliance program, including performing a security risk analysis, modifying policies and procedures, and providing training to workforce members. Skagit County has already taken steps to improve its HIPAA compliance since the original incident in 2011.
Skagit County’s Public Health Department provides essential services to individuals who otherwise would not be able to afford health care. This settlement shows that no entity, regardless of whether it provides a public service, is immune from HIPAA compliance obligations.
This settlement and others can be found in our “Select HIPAA Privacy and Security Enforcement Actions” tracker accessible under “Trackers and Presentations” and also under the “Resources” tab.