First ever settlement with local government
In the first settlement with a local government, the Department of Health and Human Services (HHS) reached an agreement with Skagit County, WA, about HIPAA violations.
The dearartment previously reached a settlement with the state Medicaid agency in Alaska, but it has never reached a settlement with a local breanch of government.
The county’s troubles began on Dec. 9, 2011, when Skagit County reported to HHS that it had inadvertently provided public access to the protected information of seven individuals. HHS then discovered that the breach was larger. Skagit County had inadvertently uploaded files containing the protected health information (PHI) of 1,581 individuals onto a public web server.
The HHS Office for Civil Rights (OCR) investigated the county’s privacy and security practices and found what it calls "widespread non-compliance" with the HIPAA privacy, security, and breach notification rules. The investigation ended recently with a resolution agreement that requires Skagit County to pay $215,000 and adhere to a stringent remediation and reporting program.