The Texas Health and Human Services Commission
must pay $1.6 million for violating
HIPAA Privacy and Security Rules

Texas state agency to pay $1.6 million for HIPAA violation

November 12, 2019
by John R. Fischer, Senior Reporter
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has levied a civil penalty of $1,600,000 against the Texas Health and Human Services Commission (TX HHSC) for violating HIPAA Privacy and Security Rules.

The request for payment stems from an investigation into a breach report filed by The Department of Aging and Disability Services (DADS), a state agency under TX HHSC. The report divulged that the electronic protected health information (ePHI) of 6,617 people was made publicly accessible over the internet.

“Texas HHS takes information security and privacy seriously for all the people we serve,” Kelli Weldon, press officer for TX HHSC, told HCB News. “We are continually examining ways to strengthen our processes for the health and safety of Texans.”

The breach was reported in 2015 and involved the movement of an internal application from a private, secure server to a public server. A flaw in the software code enabled access to unauthorized users without access credentials.

The OCR asserts that DADS violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules occurred between 2013 and 2017 by failing to conduct an enterprise-wide risk analysis, and implement access and audit controls on its information systems and applications, as required by the HIPAA Security Rule.

Among the information made publicly available were names, addresses, social security numbers and treatment information of patients. DADS was unable to determine the number of unauthorized personnel who accessed patients’ ePHI, due to inadequate audit controls.

"The US Department of Health and Human Services has found that organizations are noncompliant with HIPAA in 70 percent of its investigations. However, the vast majority of these cases did not rise to the level necessitating the imposition of fines like the TX HHSC case," Stephen A. Timoni, attorney at law at Lindabury, McCormick, Estabrook & Cooper, P.C. — which was not connected to the case against TX HHSC — told HCB News. "The concerning high noncompliance rate with HIPAA laws is due to many factors such as lack of awareness, the perceived and actual excessive cost of compliance, the complexity of the law, insufficient education and training and organizations not seeking expert legal advice when in doubt."

He suggests that aside from privacy and security controls and risk assessment analyses, providers looking to understand and comply with HIPAA regulations should institute the following:

A. Build and maintain a culture of privacy and security awareness throughout the organization.
B. Provide annual HIPAA training to all employees.
C. Encrypt data and hardware.
D. Maintain, regularly update and disseminate privacy and security policies.
E. Establish and implement plans to mitigate and best manage security and privacy risks.
F. Execute proper business associate agreements.
G. Perform an analysis, if using cloud computing services, to determine potential risks and how they impact HIPAA compliance.
H. Assign a qualified HIPAA compliance or security officer to oversee HIPAA compliance.
I. Alert employees to be responsible for their data devices and be aware of HIPAA risks with emails and social media use.
J. In anticipation of a possible HIPAA audit or OCR investigation, establish an action and response plan.
K. Be aware of and on alert for potential external data security threats.
L. Seek HIPAA counseling from a qualified attorney.

A Health and Human Services administrative law judge found the University of Texas MD Anderson Cancer Center guilty of a similar predicament in 2018, ruling that it violated HIPAA privacy and security rules in regard to three data breaches that took place in 2012 and 2013. The breaches involved a stolen, unencrypted laptop from an Anderson employee's home, and the loss of a pair of thumb drives with records belonging to more than 33,000 people. MD Anderson was ordered to pay a $4.3 million fine.

DADS provides services for the elderly and those with intellectual and physical disabilities.