Texas Health and Human Services Commission Receives $1.6 Million Civil Money Penalty for HIPAA Violations

Last week, the United States Department of Health and Human Services, Office for Civil Rights (OCR) imposed a $1.6 million civil money penalty against the Texas Health and Human Services Commission (HHSC), a state agency, after a 2015 breach notification report revealed a security vulnerability on the HHSC web-facing application for its Community Living Assistance and Support Services and Deaf Blind with Multiple Disabilities program. When transferring the internal application from a private, secure server to a public server, the Protected Health Information (PHI) of 6,617 individuals became viewable to the public. The breach allowed unauthorized users to view individuals’ names, residences, addresses, Social Security and Medicaid numbers, and treatment or diagnosis information.

During the OCR’s investigation of the breach, it found that HHSC failed to (i) conduct an enterprise-wide security risk analysis, (ii) implement access controls to its systems and applications, and (iii) audit user access to its public server, in violation of the Health Insurance Portability and Accountability Act (HIPAA). This permitted unauthorized users to access and view PHI without verifying user credentials. Additionally, the HHSC was unable to determine how many unauthorized users accessed protected health information during, and as a result of, the incident.

In calculating the civil money penalty, the OCR found no actual evidence of physical, financial, or reputational harm to the affected individuals, nor disruption in individuals’ ability to obtain health care; however, the HHSC’s prolonged noncompliance resulted in an imposed a penalty of $1,000.00 per day.

To avoid substantial penalties for noncompliance, covered entities and business associates must ensure comprehensive HIPAA policies and procedures are adequately enforced, and appropriate risk assessments are conducted to prevent, or to mitigate security incidents. It is also prudent for all covered entities to have a risk assessment performed by a qualified, independent third-party, such as a law firm. For a complete review of your practice or pharmacy’s HIPAA compliance plan, contact Frier Levitt today.