The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has levied a civil penalty of $1,600,000 against the Texas Health and Human Services Commission (TX HHSC) for violating HIPAA Privacy and Security Rules.

The request for payment stems from an investigation into a breach report filed by The Department of Aging and Disability Services (DADS), a state agency under TX HHSC. The report divulged that the electronic protected health information (ePHI) of 6,617 people was made publicly accessible over the internet.

“Texas HHS takes information security and privacy seriously for all the people we serve,” Kelli Weldon, press officer for TX HHSC, told HCB News. “We are continually examining ways to strengthen our processes for the health and safety of Texans.”

The breach was reported in 2015 and involved the movement of an internal application from a private, secure server to a public server. A flaw in the software code enabled access to unauthorized users without access credentials.

The OCR asserts that DADS violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules occurred between 2013 and 2017 by failing to conduct an enterprise-wide risk analysis, and implement access and audit controls on its information systems and applications, as required by the HIPAA Security Rule.

Among the information made publicly available were names, addresses, social security numbers and treatment information of patients. DADS was unable to determine the number of unauthorized personnel who accessed patients’ ePHI, due to inadequate audit controls.

"The US Department of Health and Human Services has found that organizations are noncompliant with HIPAA in 70 percent of its investigations. However, the vast majority of these cases did not rise to the level necessitating the imposition of fines like the TX HHSC case," Stephen A. Timoni, attorney at law at Lindabury, McCormick, Estabrook & Cooper, P.C. — which was not connected to the case against TX HHSC — told HCB News. "The concerning high noncompliance rate with HIPAA laws is due to many factors such as lack of awareness, the perceived and actual excessive cost of compliance, the complexity of the law, insufficient education and training and organizations not seeking expert legal advice when in doubt."

He suggests that aside from privacy and security controls and risk assessment analyses, providers looking to understand and comply with HIPAA regulations should institute the following:

Health IT Homepage