In November 2019, the Department of Health and Human Services, Office for Civil Rights (“OCR”) imposed a $1.6M civil money penalty on the Texas Health and Human Services Commission (“TX HHSC”), Department of Aging and Disability Services (“DADS”) for HIPAA violations.
In June 2015, DADS reported a breach of electronic protected health information (“ePHI”) to OCR. DADS discovered that the ePHI of 6,617 individuals was viewable online, including names, addresses, Medicaid numbers, and social security numbers. A flawed software code allowed this data to be accessible without access credentials.
OCR determined that DADS failed to conduct an enterprise-wide security risk assessment and failed to implement audit controls and access controls, as required by the HIPAA Security Rule. As is nearly always the case in HIPAA enforcement actions, while the breach itself may have initiated the OCR investigation, flaws in DADS’ HIPAA compliance program also were cited in OCR’s determination to issue the civil money penalty. While a covered entity or a business associate may not always be able to prevent a HIPAA breach, it can ensure that it has a robust compliance program in place. Notably, one factor cited repeatedly in OCR enforcement actions over the past several years is the lack of an enterprise-wide security risk assessment. Organizations should prioritize compliance with this HIPAA requirement.
In determining the amount of the civil money penalty levied on DADS, OCR acknowledges that DADS’ HIPAA noncompliance did not result in any known harm to individuals, nor limit their ability to receive health care. However, OCR also noted that, while DADS committed to OCR to complete an enterprise-wide security risk analysis within one year, it failed to do so. HIPAA-regulated entities should be advised that, once a governmental audit or investigation commences, it is important to make every attempt to ensure that your compliance program comports with the HIPAA regulations and guidance from OCR and, particularly, to fulfill any commitments made to the regulators.