Another HIPAA Penalty: $1.6 Million for Breach of ePHI

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced on November 7 that it imposed a $1.6 million monetary penalty against the Texas Health and Human Services Commission for violations of the HIPAA Privacy and Security Rules. The Commission operates several health and public need facilities and also administers many public assistance programs.

One of the programs that the Commission administers provides long-term care services for the aging and disabled, a program that was previously administered by the Department of Aging and Disability Services (DADS). DADS was reorganized into the Commission in 2017. In 2015, DADS reported a HIPAA breach to OCR after electronic protected health information (ePHI) of 6,617 people was accessed without proper authorization. The ePHI involved in the breach included names, addresses, social security numbers and treatment information. The breach was caused by a software flaw that allowed access to the ePHI without proper access credentials when certain files were moved from a private to a public server.

After investigating the incident, OCR concluded that DADS failed to conduct an enterprise-wide HIPAA risk analysis after the breach, and failed to implement certain access controls and protections as required by the HIPAA Security Rule. The Commission, as the successor now administering the DADS program, is obligated to pay the $1.6 million penalty.