OCR Imposes $1.6 Million Civil Monetary Penalty on Texas Health and Human Services Commission for HIPAA Violations

Texas Health and Human Services Commission civil monetary penalty

The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined another HIPAA-covered entity for violations of Health Insurance Portability and Accountability Act (HIPAA) Rules.

A civil monetary penalty (CMP) of $1.6 million has been imposed on the Texas Health and Human Services Commission (TX HHSC) for violations of HIPAA Rules discovered during the investigation of a data breach reported by the Texas Department of Aging and Disability Services (DADS) in June 2015.

TX HHSC is a regulator of nursing and childcare facilities and operates supported living facilities in the state of Texas. TX HHSC also administers state programs for people in need of assistance, such as individuals with physical disabilities and mental health issues. DADS was reorganized into TX HHSC in September 2017.

The breach in question saw the electronic protected health information of 6,617 individuals exposed online. Anyone with a web browser could have found the information via a Google search. The exposed information included names, addresses, Medicaid numbers, Social Security numbers, diagnoses, and treatment information.

DADS had migrated an internal application from a private server to a public server; however, a flaw in the public server allowed ePHI to be accessed without the need for authentication.

As with all breaches of more than 500 records, OCR launched an investigation to determine whether the breach had occurred as a result of the failure to comply with HIPAA Rules. The investigation uncovered three areas of noncompliance. DADS had failed to implement access controls to prevent ePHI on the public server from being accessed by unauthorized individuals.

No audit controls had been implemented, so it was not possible to tell whether the ePHI had been subjected to unauthorized access from the date of migration to the time of discovery of the breach. DADS was unable to demonstrate that it had conducted a comprehensive, organization-wide risk analysis and, as a result, could not show that all risks to the confidentiality, integrity, and availability of ePHI had been identified. These areas of noncompliance contributed to the impermissible disclosure of 6,617 individuals’ ePHI.

The compliance failures persisted from 2013 to 2017. Under the HIPAA penalty structure, financial penalties are based on the length of time that a violation has been allowed to persist, the number of individuals impacted, the level of culpability, and several other factors. OCR determined that the violations did not constitute willful neglect of HIPAA Rules (penalty tiers 3 & 4), and instead determined they constituted reasonable cause (penalty tier 2).

Earlier this year, OCR re-evaluated the changes to HIPAA penalties mandated by the HITECH Act and determined that there had been a misinterpretation of what Congress had intended. OCR issued a notice of enforcement discretion and reduced the maximum penalties for HIPAA violations for the first three HIPAA penalty tiers. The fines were calculated based on this new interpretation of the HITECH Act, which for reasonable cause, meant a minimum fine of $1,000 for each violation, per day, prior to November 2, 2015, and $1,141 per day thereafter, up to a maximum of $100,000 per violation category for each calendar year.

TX HHSC was given the opportunity to provide written evidence or mitigating factors in support of a waiver of the CMP but failed to provide such information within 30 days of receiving the notice of proposed determination. The full financial penalty was therefore imposed.

“Covered entities need to know who can access protected health information in their custody at all times,” said OCR Director Roger Severino. “No one should have to worry about their private health information being discoverable through a Google search.”