$1.6 Million Penalty against Texas Health and Human Services Commission for HIPAA Violations

“No one is safe from HIPAA.” That is the first thought that crossed my mind when I found about Texas Health and Human Services Commission (HHSC) situation and the $1.6 million penalty.

As stated in the press release from the Department of Health and Human Services:

TX HHSC is part of the Texas HHS system, which operates state supported living centers; provides mental health and substance use services; regulates child care and nursing facilities; and administers hundreds of programs for people who need assistance, including supplemental nutrition benefits and Medicaid. The Department of Aging and Disability Services (DADS), a state agency that administered long-term care services for people who are aging, and for people with intellectual and physical disabilities, was reorganized into TX HHSC in September 2017.

On June 11, 2015, DADS filed a breach report with Office for Civil Rights (OCR) stating that the electronic protected health information (ePHI) of 6,617 individuals was viewable over the internet, including names, addresses, social security numbers, and treatment information. The breach occurred when an internal application was moved from a private, secure server to a public server and a flaw in the software code allowed access to ePHI without access credentials.

Based on the events reported OCR investigated Texas Health and Human Services Commission breach and determined that:

  • There was an impermissible disclosure of patient information,
  • The organization failed to conduct an enterprise-wide risk analysis, and
  • The organization failed to implement access and audit controls on its information systems and applications as required by the HIPAA Security Rule.

The press release from HHS ended with a quote from OCR Director Roger Severino emphasizing that: “Covered entities need to know who can access protected health information in their custody at all times,”.

The Notice of Proposed Determination and Notice of Final Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/txhhsc/index.html