.st0{fill:#FFFFFF;}

Compliance

OCR Imposes a $1.6 Million Civil Money Penalty against Texas Health and Human Services Commission

 November 7, 2019

By  Anton Kiorolgo

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has imposed a $1,600,000 civil money penalty against the Texas Health and Human Services Commission (TX HHSC), for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules between 2013 and 2017.

The breach occurred when an internal application was moved from a private, secure server to a public server and a flaw in the software code allowed access to ePHI without access credentials.

How the Texas Health and Human Services Commission Fell Prey

TX HHSC is part of the Texas HHS system, which operates state-supported living centers; provides mental health and substance use services; regulates childcare and nursing facilities; and administers hundreds of programs for people who need assistance, including supplemental nutrition benefits and Medicaid. The Department of Aging and Disability Services (DADS), a state agency that administered long-term care services for people who are aging, and for people with intellectual and physical disabilities, was reorganized into TX HHSC in September 2017.

On June 11, 2015, DADS filed a breach report with OCR stating that the electronic protected health information (ePHI) of 6,617 individuals was viewable over the internet, including names, addresses, social security numbers, and treatment information. The breach occurred when an internal application was moved from a private, secure server to a public server and a flaw in the software code allowed access to ePHI without access credentials. OCR’s investigation determined that, in addition to the impermissible disclosure, DADS failed to conduct an enterprise-wide risk analysis, and implement access and audit controls on its information systems and applications as required by the HIPAA Security Rule. Because of inadequate audit controls, DADS was unable to determine how many unauthorized persons accessed individuals’ ePHI.

Want to join in the conversation? Talk with us on social media!

Facebook: https://www.facebook.com/secfirstit/

LinkedIn: https://www.linkedin.com/company/securityfirstit

Hashtags: #financial settlement #settlement #financial #debt settlement #settlement financing #financial agreement #financial order #settlements

The Notice of Proposed Determination and Notice of Final Determination may be found here.

Having trouble finding trustworthy IT support?

Please contact us to schedule a consultation.

Subscribe to our newsletter now!