View Page As PDF
Share Button
Tweet Button

Today, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services announced a HIPAA settlement with Skagit County, Washington resolving an OCR investigation arising out of a 2011 data breach.  OCR determined that the breach was broader than reported in 2011and that the county failed to comply with the HIPAA Privacy, Security and Breach Notification Rules.  In particular, OCR found that the county allowed access to the electronic protected health information (ePHI) of 1,581 individuals on its public web server for two weeks in September 2011; (ii) failed to provide notification to all of the individuals whose ePHI was compromised; (iii) failed to implement sufficient policies and procedures to prevent, detect, contain and correct security violations; (iv) failed to maintain written security policies and procedures; and (v)  failed to provide adequate staff training.  The county agreed to pay a $215,000 fine and comply with a corrective action plan requiring it to publish breach notification in the media or on its website, implement written policies and procedures, perform risk analysis, provide training, take other steps to correct deficiencies in its HIPAA compliance, and provide annual reports to OCR for three years. 

The OCR press release includes a warning from Susan McAndrew, OCR’s deputy director of health information privacy, that: “This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size. These agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.” The OCR press release and the Resolution Agreement are available at .

This settlement serves as another reminder of the potentially steep costs of HIPAA noncompliance. For more information, please see or January 16, 2014 Alert at .