Texas Health and Human Services Commission hit with $1.6M fine for HIPAA violations

The Texas Health and Human Services Commission was hit with a $1.6 million fine for violating federal privacy and security rules.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights imposed the civil money penalty after an investigation found that a division of Texas HHSC had a data breach that enabled unauthorized users to view the electronically protected health information of 6,000 people.

The information exposed included names, addresses, social security numbers, and treatment information in violation of Health Insurance Portability and Accountability Act (HIPAA) rules, according to a press release from OCR.

Texas HHSC is part of the Texas HHS system, which operates state-supported living centers, provides mental health and substance use services, regulates childcare and nursing facilities, and administers hundreds of programs for people who need assistance, including supplemental nutrition benefits and Medicaid.

RELATED: HHS' Office for Civil Rights reports $28.7M in payments for record HIPAA enforcement year

The Department of Aging and Disability Services (DADS), a state agency that administered long-term care services for people who are aging, and for people with intellectual and physical disabilities, was reorganized into TX HHSC in September 2017.

On June 11, 2015, DADS filed a breach report with OCR stating that 6,617 individuals' medical data was viewable over the internet. The breach occurred when an internal application was moved from a private, secure server to a public server and a flaw in the software code allowed access to ePHI without access credentials. The violations took place between 2013 and 2017, according to OCR.

OCR's investigation determined that, in addition to the impermissible disclosure, DADS failed to conduct an enterprise-wide risk analysis, and implement access and audit controls on its information systems and applications as required by HIPAA. Because of inadequate audit controls, DADS was unable to determine how many unauthorized persons accessed individuals' private health information.

RELATED: HHS moves to reduce HIPAA fines, lowering the cap more than $1M for some violations

"Covered entities need to know who can access protected health information in their custody at all times," OCR Director Roger Severino, said in a statement. "No one should have to worry about their private health information being discoverable through a Google search."

This year HHS adjusted the monetary penalties it imposes on healthcare providers, health plans and their business associates for violating HIPAA, lowering the annual cap for the least-severe violation from $1.5 million to $25,000.

HHS developed a new tier structure based on culpability and sets different annual limits for fines based on four penalty tiers.

Prior to the changes, the annual limit was $1.5 million for every tier.

According to the penalty structure, the least severe category, Tier 1, pertains to organizations that are not aware of the violation, while Tier 2 pertains to organizations that had reasonable cause to know about the violation. Tier 3 constitutes willful neglect that has been corrected and willful neglect that is not corrected is considered the most severe, Tier 4, according to OCR.

OCR determined that Texas HHSC's violations fall into the category of reasonable cause, with penalties of $1,000 to $50,000 per violation and capped at $100,000 per year 

The amount of time the health commission remained out of compliance, from 2013 to 2017, was an aggravating factor, OCR said. But the agency also noted that the organization's noncompliance did not result in any known physical, financial, or reputational harm to any individuals. 

"OCR has considered this, and as a result, concludes that, despite the fact that it could impose a penalty of up to $50,000 a day for each day that HHSC was out of compliance with these regulations, OCR proposes that the daily penalty amount of $1,000 per day be applied for these violations," OCR said in the notice of proposed determination (PDF).