Skagit County, Washington To Pay $215000 For Non-Compliance With HIPAA Privacy, Security, And Breach Notification Rules

Skagit County is located in Northwest Washington, and is home to approximately 118,000 residents. County Public Health Department provides essential services to many individuals who would otherwise not be able to afford health care. Skagit County, Washington to pay $215000 to settle potential violations of the HIPAA Privacy, Security, and Breach Notification Rules.

Skagit County agreed to work closely with the Department of Health and Human Services (HHS) to correct deficiencies in its HIPAA compliance training program. OCR opened an investigation of Skagit County upon receiving a breach report that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County.  OCR’s investigation revealed a broader exposure of protected health information involved in the incident, which included the ePHI of 1,581 individuals. Many of the accessible files involved sensitive information, including protected health information concerning the testing and treatment of infectious diseases.  OCR’s investigation further uncovered general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules.

Skagit County continues to cooperate with OCR through a corrective action plan to ensure it has in place written policies and procedures, documentation requirements, training, and other measures to comply with the HIPAA Rules.  This corrective action plan also requires Skagit County to provide regular status reports to OCR.