Wash. county faces $215K fine for HIPAA violations

Laura Pedulli | | Health Exec | Cybersecurity

Skagit County in Washington state faces a $215,000 fine for violating several HIPAA rules relating to privacy, security and breach notification.

In December 2011, the Department of Health & Human Services (HHS) Office of Civil Rights received notification from Skagit County regarding a breach of its unsecured electronic protected health information (ePHI). The following year, HHS began investigating Skagit County and discovered a number of HIPAA violations, according to the settlement reached between HHS and Skagit County.

Among its findings, HHS learned that for two weeks in September 2011, Skagit County disclosed the ePHI of 1,581 individuals by providing access to their health information on its public web server.

Also, from Nov. 28, 2011, until the time of the settlement, Skagit County failed to provide notification to all individuals whose ePHI had been comprised. Also, the county failed to implement sufficient policies and procedures to prevent, detect, contain and correct security violations; failed to maintain written or electronic policies to ensure compliance with the HIPAA security rule; and failed to provide security awareness and training to its staff.

In addition to paying $215,000, the settlement requires the county to comply with a corrective action plan, which includes:

  • Providing substitute breach notification to affected individuals not previously notified;
  • Providing HHS a description of its procedures that ensures the content of any accounting of disclosures;
  • Submitting for HHS review hybrid entity and business association documentation;
  • Conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI;
  • Creating and updating policies and procedures regarding HIPAA compliance;
  • Training workforce on HIPAA compliance; and
  • Investigating any HIPAA violations in a prompt manner.

Read the full settlement here.

Laura Pedulli

Related Content

Healthcare hacker sentenced to 10 years in prison
Ransomware group deploys ticking clock to threaten Georgia hospital
Hackers were inside an Iowa hospital’s network for two weeks
Microsoft: Ransomware hit nearly 400 healthcare entities this year—a 300% rise since 2015
Feds make it official: Change data breach was the largest in healthcare history, impacting 100M
CMS contractor takes $1.2M loss after data breach, DOJ lawsuit

Around the web

Cardiovascular Business
Q&A: MedAxiom CEO explores key trends in cardiologist, cardiovascular surgeon compensation

Compensation for heart specialists continues to climb. What does this say about cardiology as a whole? Could private equity's rising influence bring about change? We spoke to MedAxiom CEO Jerry Blackwell, MD, MBA, a veteran cardiologist himself, to learn more.

Cardiovascular Business
Payment cuts and beyond: Key takeaways for cardiologists from the 2025 Medicare Physician Fee Schedule

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

AI in Healthcare
A modest proposal to rally AI regulators around a simple game plan

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”