Skagit County, Washington, has agreed to pay $215,000 and comply with a three-year corrective action plan to settle potential violations of the privacy and security rules under HIPAA (the Health Insurance Portability and Accountability Act of 1996), the Office for Civil Rights (OCR) of the Department of Health and Human Services has announced.

Skagit County is home to approximately 118,000 residents. “This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size,” said Susan McAndrew, deputy director of health information privacy at OCR. “These agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.” Entities covered by HIPAA include cities and counties and, as this case illustrates, the consequences for possible non-compliance can be severe.

OCR began investigating Skagit County and its Public Health Department in 2011, after receiving “a breach report that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County.” OCR’s investigation revealed the incident included the ePHI of 1,581 individuals. In some cases, the ePHI involved files about the testing and treatment of infectious diseases. 

According to the Resolution Agreement, Skagit County allegedly failed to provide notification, as required by the HIPAA Breach Notification Rule, to all affected individuals for whom it knew or should have known that the privacy or security of the individuals’ ePHI had been compromised.

Similar to other OCR investigations, the Office’s enforcement activity uncovered “general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules.” OCR looked back to April 20, 2005 (the effective date of the security rules) and alleged non-compliance with certain requirements of the rules, including the failure to maintain written policies and train employees.

The Skagit County Public Health Department provides essential services to individuals who otherwise would not be able to afford health care. A $215,000 payment to OCR certainly will be a hit to the Department’s budget and the services it provides. 

Cities, counties and other public sector entities that perform HIPAA-covered functions should review their policies and procedures to ensure compliance. Basic components of an effective program include risk assessment, written policies and procedures, training, breach response plan, and documentation.