HHS Reports First HIPAA Settlement with a County Government


According to a HHS press release issued last Friday, Skagit County, Washington, has agreed to a $215,000 settlement with the agency to resolve allegations that the county’s HIPAA compliance program was deficient.  The Skagit County HIPAA settlement is the first that the agency has entered with a county government. 

Skagit County is located in Northwest Washington and is home to approximately 118,000 residents.  The Skagit County Public Health Department provides essential medical services to many of the county’s residents who cannot otherwise afford care. 

According to the agency, HHS’s Office for Civil Rights (“OCR”) opened an investigation of Skagit County upon receiving a breach report that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by Skagit County.  OCR’s investigation revealed a broader exposure of protected health information involved in the incident, which included the ePHI of 1,581 individuals.  Many of the accessible files involved sensitive information, including protected health information concerning the testing and treatment of infectious diseases.  OCR’s investigation further uncovered general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules, the agency’s press release explains.

The Deputy Director of Health Information Privacy at OCR said, “This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size.”  She also noted that “[t]hese agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.”

As part of the settlement, Skagit County agreed to implement a corrective action plan (which is attached to the Resolution Agreement) to ensure that it has in place written policies and procedures, documentation requirements, training, and other measures to comply with the HIPAA Rules.  The corrective action plan also requires Skagit County to provide regular status reports to OCR.

View a copy of HHS’s press release by clicking here and a copy of the Resolution Agreement by clicking here.

Reporters, Ramsey Prather, Atlanta,+ 1 404 572 4624, rprather@kslaw.com, and Constance F. Dotzenrod, Atlanta, + 1 404 572 3585, cdotzenrod@kslaw.com.

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.