HHS Reports First HIPAA Settlement with a County Government


According to a HHS press release issued last Friday, Skagit County, Washington, has agreed to a $215,000 settlement with the agency to resolve allegations that the county’s HIPAA compliance program was deficient.  The Skagit County HIPAA settlement is the first that the agency has entered with a county government. 

Skagit County is located in Northwest Washington and is home to approximately 118,000 residents.  The Skagit County Public Health Department provides essential medical services to many of the county’s residents who cannot otherwise afford care. 

According to the agency, HHS’s Office for Civil Rights (“OCR”) opened an investigation of Skagit County upon receiving a breach report that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by Skagit County.  OCR’s investigation revealed a broader exposure of protected health information involved in the incident, which included the ePHI of 1,581 individuals.  Many of the accessible files involved sensitive information, including protected health information concerning the testing and treatment of infectious diseases.  OCR’s investigation further uncovered general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules, the agency’s press release explains.

The Deputy Director of Health Information Privacy at OCR said, “This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size.”  She also noted that “[t]hese agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.”

As part of the settlement, Skagit County agreed to implement a corrective action plan (which is attached to the Resolution Agreement) to ensure that it has in place written policies and procedures, documentation requirements, training, and other measures to comply with the HIPAA Rules.  The corrective action plan also requires Skagit County to provide regular status reports to OCR.

View a copy of HHS’s press release by clicking here and a copy of the Resolution Agreement by clicking here.

Reporters, Ramsey Prather, Atlanta,+ 1 404 572 4624, rprather@kslaw.com, and Constance F. Dotzenrod, Atlanta, + 1 404 572 3585, cdotzenrod@kslaw.com.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:


King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.