Wash. county to pay $215,000 over HIPAA violations

The Office for Civil Rights at HHS has reached a $215,000 settlement with Washington state's Skagit County following a security breach of 1,581 local patients' personally identifiable medical information, according to the federal agency. The settlement puts governmental bodies across the country on notice about taking Health Insurance Portability and Accountability Act compliance seriously.

“This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size,” said Susan McAndrew, deputy director of health information privacy at the OCR. “These agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients' information.”

The OCR, which has enforcement authority for HIPAA's privacy and security rule provisions, began its Skagit County investigation with a breach incident in which electronic receipts for seven patients containing their protected health information had been improperly placed online and accessed.

Investigators soon found that nearly 1,600 individuals' records had been similarly exposed, the OCR said, and included information about testing and treatment of infectious diseases. The probe also revealed “general and widespread non-compliance” by Skagit County with the privacy, security and breach notification provisions of HIPAA. The county's public health department provides services to individuals who might not otherwise be able to afford healthcare, an HHS statement said.

In addition to its monetary penalty, Skagit County also agreed to a corrective action plan and to provide OCR with regular status reports, the statement said.

Follow Joseph Conn on Twitter: @MHJConn