According to a HHS press release issued last Friday, Skagit County, Washington, has agreed to a $215,000 settlement with the agency to resolve allegations that the county’s HIPAA compliance program was deficient. The Skagit County HIPAA settlement is the first that the agency has entered with a county government.
Skagit County is located in Northwest Washington and is home to approximately 118,000 residents. The Skagit County Public Health Department provides essential medical services to many of the county’s residents who cannot otherwise afford care.
According to the agency, HHS’s Office for Civil Rights (“OCR”) opened an investigation of Skagit County upon receiving a breach report that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by Skagit County. OCR’s investigation revealed a broader exposure of protected health information involved in the incident, which included the ePHI of 1,581 individuals. Many of the accessible files involved sensitive information, including protected health information concerning the testing and treatment of infectious diseases. OCR’s investigation further uncovered general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules, the agency’s press release explains.
The Deputy Director of Health Information Privacy at OCR said, “This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size.” She also noted that “[t]hese agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.”
As part of the settlement, Skagit County agreed to implement a corrective action plan (which is attached to the Resolution Agreement) to ensure that it has in place written policies and procedures, documentation requirements, training, and other measures to comply with the HIPAA Rules. The corrective action plan also requires Skagit County to provide regular status reports to OCR.