PHI of 100 Patients In the Possession of a Terminated Employee

An employee of Texas Health and Human Services Commission (HHSC) has the protected health information (PHI) of approximately 100 patients in her possession after she lost her job. Her personal things were collected from her office desk and put in boxes after she was terminated. By mistake, benefits application forms were put in the boxes.

The terminated employee is Tracy Ryans. She is 51 years old. HHSC sent the boxes containing Tracy’s personal items by mail. The delivery driver left them on the porch of her residence. One box comprised her personal stuff which include pens, old shoes and a coffee mug. A second box contained documents that contain highly sensitive information of customers. Ryans explained to Texas Tribune that she did not own those stuff. The items were from the office table she shared with fellow employees.

The documents were benefits application forms of around 100 clients and included data like copies of driver’s licenses, Social Security numbers, check stubs and billing statements. The documents were dated April 13, 2018, that is Two weeks following Ryans was fired from HHSC.

Ryans asked for help and advice from Texas State Employees Union with regards to what she needed to do with the paperwork. She was worried that she might be charged with stealing the documents. She returned the documents to HHSC with the help of the union.

Ryans was relieved of her job after 9 years of being employed with HHSC due to the allegation that she failed to make sure the security of customer data and violated HIPAA Rules. Ryans rejects all these accusations. The sending of the boxes with PHI to Ryans is also regarded as a violation of HIPAA Rules since she does not have legal right to possess those documents. However, HHSC has not supplied any kind of information regarding the sent paperworks to Ryans and whether the episode was a case of accidental breach of HIPAA Rules.

HHSC is presently looking into the incident and has reported a potential privacy breach to the Office of Inspector General (OIG). If ever the investigation confirms exposure of patients’ PHI and violation of HIPAA rules, HHSC is going to take the steps needed to minimize the risks and will alert the people whose data was impacted.