On November 7, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $1,600,000 civil money penalty for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules.

According to HHS, the Texas Health and Human Services Commission (TX HHSC) “operates state supported living centers; provides mental health and substance use services; regulates child care and nursing facilities; and administers hundreds of programs for people need assistance, including supplemental nutrition benefits and Medicaid.”  TX HHSC also includes, since September 2017, the Department of Aging and Disability Services (DADS), a state agency that administers long-term care services for the aging.

According to the HHS Notice of Proposed Determination, the HIPAA violations committed by TX HHSC included:

  • In 2015, TX HHSC reported that electronic protected health information of 6,617 individuals became viewable over the internet after a breach following a server migration and a flaw in the software code.  The information available included names, addresses, social security numbers, and treatment information.  HHS also learned that TX HHSC had “never performed an ‘agency-wide’ security risk analysis.”

TX HHSC did not submit any written evidence of mitigating factors or affirmative defenses for consideration.  TX HHSC also waived its right to a hearing.

You can read the HHS Press Release, the Notice of Proposed Determination and the Notice of Final Determination here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/txhhsc/index.html?language=en

If you would like guidance on how it can prevent HIPAA violations from occurring, or how to handle a HIPAA violation, please contact our firm.