Skagit County, Washington, has agreed to settle potential violations of the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), according to an announcement by the Office for Civil Rights (OCR) on Friday.  OCR reported that Skagit County, home to approximately 118,000 residents, agreed to a $215,000 monetary settlement and to comply with a three-year HIPAA compliance program under OCR’s watchful eye.

OCR began investigating Skagit County and its Public Health Department when OCR received

a breach report that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County.

A relatively minor breach at first glance. However, OCR’s investigation revealed the incident was broader and included the ePHI of 1,581 individuals, in some cases involving files concerning the testing and treatment of infectious diseases. According to the resolution agreement, Skagit County allegedly failed to provide notification as required by the HIPAA Breach Notification Rule to all of the affected individuals for whom it knew or should have known that the privacy or security of the individuals’ ePHI had been compromised.

Like other OCR investigations, the enforcement activity uncovered “general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules.” For example, OCR looked back to April 20, 2005 (the effective date of the HIPAA Security Rule), and alleged that Skagit County had not complied with various aspects of the HIPAA security regulations, including maintaining written policies and training employees.

The Skagit County Public Health Department provides essential services to many individuals who would otherwise not be able to afford health care. A $215,000 payment to OCR certainly will be a hit to the Department’s budget and the services it provides. Cities, counties and other public sector entities that perform HIPAA covered functions should be reviewing their HIPAA compliance efforts to ensure they are in a strong defensible position. Some basic compliance steps – risk assessment, written policies and procedures, training, a breach response plan, documentation, and others – can go a long way.