The HHS Office for Civil Rights has fined Skagit County in Northwest Washington $215,000 for violations of the HIPAA privacy, security and breach notification rules.

The settlement, which includes a corrective action plan for Skagit County, is the first such action taken against a local government for HIPAA non-compliance. From about Sept. 14 to Sept. 28, 2011, the PHI of 1,581 individuals served by its public health department was disclosed because it was accessible on the county’s public Web server, according to the OCR. The county discovered the breach on Sept. 28 and first notified the OCR on Nov. 16, 2011. The OCR in turn notified the county on May 25, 2012 of an investigation of the breach.

But the county took no action in 2011 or later to mitigate the breach or comply with HIPAA rules. According to the OCR, “From November 28, 2011 until present, Skagit County failed to provide notification as required by the Breach Notification Rule to all of the individuals for whom it knew or should have known that the privacy or security of the individual’s ePHI had been compromised as a result of the breach incident,” the resolution agreement contends.

Further, from the security rule compliance date of April 20, 2005, until now, the county failed to implement sufficient policies and procedures to prevent, detect, contain and correct security violations. And, from the compliance date until June 1, 2012, the county did not implement policies and procedures to ensure compliance with the security rule. Also, until the present, the county did not provide security awareness and training to all employees--including information security staff members.

Now, Skagit County has agreed to a corrective action plan that includes notifying affected individuals and local media, as well as posting notification prominently on its home page for 90 days. The county also will conduct “an accurate and thorough assessment of risks and vulnerabilities” and train employees and implement sufficient security measures, according to the resolution agreement. “Skagit County shall maintain for inspection and copying all documents and records relating to compliance with this CAP (corrective action plan) for six years.”

OCR now has levied fines and corrective action resolutions against more than 20 organizations. An OCR spokesperson tells Health Data Management that there is a common link among most of the cases that rise to the level of a monetary settlement. “There is a long-standing pattern of non-compliance with the rules and little to no action taken by the covered entity to correct their deficiencies following the breach.”

The resolution agreement is available here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access