$1.6 Million HIPAA Penalty Paid By Texas Health and Human Services Commission

The Department of Health and Human Services’ Office for Civil Rights (OCR) issued a $1.6 million civil monetary penalty (CMP) to Texas Health and Human Services Commission (TX HHSC) for a number of Health Insurance Portability and Accountability Act (HIPAA) Rules violations.

TX HHSC, as a state agency, runs supported living centers, manages nursing and childcare centers, gives substance abuse and mental health services and supervises many state projects for people requiring assistance, like people having intellectual and physical handicaps.

OCR started an investigation after the Department of Aging and Disability Services (DADS) submitted a breach report. DADS is a state agency that became TX HHSC in September 2017. According to the June 11, 2015 DADS report to OCR, a security incident resulted in the online exposure of 6,617 people’s electronic protected health information (ePHI). The data exposed included names, diagnoses, treatment details, addresses, Social Security numbers and Medicaid numbers.

The cause of data exposure was the migration from a private to a public server of an internal CLASS/DBMD software. A defect in the software application permitted ePHI access online without any validation. A Google search can lead to finding and accessing private and highly sensitive data.

TX HHSC could not present documentation to show compliance with three crucial HIPAA Rules provisions. Hence, OCR declared that the TX HHSC violated the following four HIPAA rules.

  • 45 C.F.R. § 164.308(a)(1 )(ii)(A) – Inability to perform a detailed organization-wide risk analysis to determine all risks to PHI integrity, confidentiality and availability
  • 45 C.F.R. § 164.502(a) – The previously mentioned failures caused an impermissible disclosure of 6,617 persons’ ePHI.
  • 45 C.F.R. § 164.312(a)(1) – Inability to use access controls. No credential is required to access ePHI included in its CLASS/DBMD
  • 45 C.F.R. § 164.312(b) – Inability to use audit controls that logged user access on the public server, which kept TX HHSC from identifying the person that accessed ePHI within the application at the time of exposure.

HIPAA determines financial penalties according to the level of culpability. OCR established that TX HHSC’s violations was not considered willful neglect and involved reasonable cause, which is the second penalty tier. For every one of the HIPAA violations mentioned above, the minimum penalty is $1,000 to a maximum financial penalty of $100,000 annually. TX HHSC’s risk analysis problems, access controls issues, and audit control failures covered the years 2013 to 2017, therefore the total penalty of $1.6 million.

Covered entities should know who could access PHI under their care at all times. There should be no worries that somebody could discover the private health data by means of a Google search.”

The first HIPAA penalty report was in March 2019 during which it seemed that TX HHSC and OCR reached a settlement concerning the HIPAA violations. The 86th Legislature of the State of Texas had decided to accept the settlement; nonetheless, it would seem that the suggested settlement was declined. OCR gave a Notice of Proposed Determination on July 29, 2019.

TX HHSC didn’t debate the findings of OCR’s Notice of Proposed Determination and chose to give up their right to a hearing. OCR obtained the CMP from TX HHSC on October 25, 2019.

This is the number two HIPAA penalty OCR announced this week. A couple of days ago, OCR declared getting a $3 million settlement with the University of Rochester Medical Center to solve HIPAA violations associated with the missing unencrypted devices filled with ePHI.

There are 7 HIPAA penalties issued in 2019 totaling $9,949,000 with the TX HHSC CMP as the seventh.