Health Care Law Alert: Skagit County Fined $215,000 for HIPAA Violations


Skagit County in northwest Washington state has been fined $215,000 for violations of the HIPAA privacy, security, and breach notification rules. The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a settlement agreement with the County on March 6. The settlement, which includes a corrective action plan for the County, is the first such action taken against a local government for HIPAA non-compliance.

From September 14 to September 28, 2011, the protected health information (“PHI”) of 1,581 individuals served by the County’s public health department was disclosed because it was accessible on the County’s public Web server. The County discovered the breach on September 28 and first notified OCR on November 16, 2011. But the County took no action to mitigate the breach or comply with HIPAA. According to the OCR, “From November 28, 2011 until present, Skagit County failed to provide notification as required by the Breach Notification Rule to all of the individuals for whom it knew or should have known that the privacy or security of the individual’s ePHI had been compromised as a result of the breach incident.”

The County failed to implement sufficient policies and procedures to prevent, detect, contain and correct security violations in violation of the Security Rule. It was not until June 1, 2012 that the County finally implemented policies and procedures to ensure compliance with the Security Rule, and at no time did the County provide security awareness and training to employees.

The agreed to corrective action plan includes notifying affected individuals and local media, as well as posting notification prominently on the County’s home page for 90 days. The County also will conduct “an accurate and thorough assessment of the potential risks and vulnerabilities” and train employees and implement sufficient security measures, according to the resolution agreement. Moreover, “Skagit County shall maintain for inspection and copying all documents and records relating to compliance with this [corrective action plan] for six years.”

This incident highlights the need for entities maintaining PHI to ensure that appropriate policies and procedures are in place to protect PHI and timely respond to breaches of such.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Stoel Rives LLP | Attorney Advertising

Written by:


Stoel Rives LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.