Health Care Law Alert: Skagit County Fined $215,000 for HIPAA Violations


Skagit County in northwest Washington state has been fined $215,000 for violations of the HIPAA privacy, security, and breach notification rules. The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a settlement agreement with the County on March 6. The settlement, which includes a corrective action plan for the County, is the first such action taken against a local government for HIPAA non-compliance.

From September 14 to September 28, 2011, the protected health information (“PHI”) of 1,581 individuals served by the County’s public health department was disclosed because it was accessible on the County’s public Web server. The County discovered the breach on September 28 and first notified OCR on November 16, 2011. But the County took no action to mitigate the breach or comply with HIPAA. According to the OCR, “From November 28, 2011 until present, Skagit County failed to provide notification as required by the Breach Notification Rule to all of the individuals for whom it knew or should have known that the privacy or security of the individual’s ePHI had been compromised as a result of the breach incident.”

The County failed to implement sufficient policies and procedures to prevent, detect, contain and correct security violations in violation of the Security Rule. It was not until June 1, 2012 that the County finally implemented policies and procedures to ensure compliance with the Security Rule, and at no time did the County provide security awareness and training to employees.

The agreed to corrective action plan includes notifying affected individuals and local media, as well as posting notification prominently on the County’s home page for 90 days. The County also will conduct “an accurate and thorough assessment of the potential risks and vulnerabilities” and train employees and implement sufficient security measures, according to the resolution agreement. Moreover, “Skagit County shall maintain for inspection and copying all documents and records relating to compliance with this [corrective action plan] for six years.”

This incident highlights the need for entities maintaining PHI to ensure that appropriate policies and procedures are in place to protect PHI and timely respond to breaches of such.

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Stoel Rives LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.