The Texas Health and Human Services Commission (TX HHSC) is a Texas government state agency. Its charge is to improve the health, safety and well-being of Texans with good stewardship of public resources. TX HHSC, which is part of the broader Texas Health and Human Services system, which:
- Operates state-supported living centers;
- Provides mental health and substance abuse services;
- Regulates child care and nursing facilities; and
- Administers programs for Texas who need assistance, including supplemental nutrition benefits and Medicaid.
TX HHSC’ predecessor agency was the Department of Aging and Disability Services (DADS). DADS was reorganized into TX HHSC in September of 2017.
The Department of Health and Human Services’ (DHHS) Office for Civil Rights (OCR) recently imposed a $1,6000,000 civil monetary penalty against TX HHCS, for a string of HIPAA violations committed by DADS between 2013 and 2017.
How Did Texas Health and Human Services Commission Commit Violate HIPAA?
This Texas HIPAA horror show became public on October 11, 2015, when DADS filed a breach report with OCR. In its report, DADS informed OCR that the electronic protected health information (ePHI) of almost 7,000 individuals was viewable over the Internet. The ePHI consisted of (among other things) names, addresses, social security numbers, and treatment information.
The breach occurred innocently, when an internal application was moved to a public server from a private, secure one. A flaw in the software code allowed ePHI without access credentials.
In its investigation, OCR determined that DADS had violated the HIPAA Security Rule by:
- Failing to conduct an enterprise-wide risk analysis
- Failing to implement access and audit controls on its information systems and applications
Because DADS’ audit controls were inadequate, DADS could not determine how many authorized persons accessed individuals’ ePHI.
What Happened to TX HHSC?
TX HHSC did not dispute OCR’s Notice of Proposed Determination, which proposed to fine TX HHSC in the sum of $1.6 million. OCR then issued a Notice of Final Determination, imposing the fine of $1.6 million.
The story of TX HHSC drives home several points. The first of these points is that entities that do not implement access controls, perform risk analysis, or implement audit controls, are committing HIPAA Security Rule violations, and, as such, are subject to fines. The second point is that OCR can fine not only private entities, but state government agencies as well, if these state government agencies are themselves covered entities or business associates.
Need Help with HIPAA?
Let our complete HIPAA solution handle it.