Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

$1.6 Million Civil Money Penalty for HIPAA Breach Impacting 6,617 Individuals

Share

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services imposed a $1.6 million civil money penalty (CMP) against the Texas Health and Human Services Commission, Department of Aging and Disability Services (HHSC) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHSC is a Texas state agency headquartered in Austin, Texas that is responsible for the delivery of benefits and services in Texas for several programs including Medicaid for families and children, long-term care for people who are older or who have disabilities, behavioral health services, and services for women and other people with special health needs.

HHSC submitted a HIPAA Breach Notification Report to OCR on June 11, 2015, regarding the discovery of a security vulnerability in a web-facing application designed for the Community Living Assistance and Support Services and Deaf Blind with Multiple Disabilities (CLASS/DBMD) program. The CLASS/DBMD program is designed to collect and report information regarding utilization management and review activities to the Centers for Medicare & Medicaid Services on the CLASS/DBMD waiver programs. HHSC reported that the CLASS/DBMD application compromised electronic protected health information (ePHI) by allowing an undetermined number of unauthorized users to view the ePHI without verifying user-credentials on HHSC’s public server. HHSC confirmed that the CLASS/DBMD application contained the names, residences, addresses, Social Security and Medicaid numbers, and treatment or diagnosis information that belonged to 6,617 individuals. HHSC became aware of the unauthorized access only after a user accessed the ePHI in the application without first being required to input his or her user credentials and alerted HHSC of the same.

On July 29, 2019, OCR issued a Notice of Proposed Determination to HHSC that that proposed to impose a CMP of $1.6 million for HHSC failures to:

1. Implement access controls on all of its systems and applications.

2. Implement audit controls of its systems and applications, such as the application involved in the breach.

3. Conduct an agency-wide accurate and thorough risk assessment.

According to the Notice of Final Determination, HHSC did not contest OCR’s findings and agreed to pay the $1.6 million CMP.

This is the second OCR Notice of Final Determination announced in the last month. The last OCR Notice of Final Determination announcement was reported on October 15, 2019, against Jackson Health System for $2.15 million. More details on that matter is available in this DBR on Data post. The HHSC and Jackson Health System fines serve as a reminder that OCR is actively investigating and instituting enforcement actions against companies that suffer data breaches as a result of arguably inferior data security protocols. Health care businesses would be wise to revisit their own protocols to ensure that they meet industry and regulatory standards

If you have any comments or questions about this OCR Notice of Final Determination or would like to discuss HIPAA compliance more generally, please reach out to any member of the Drinker Biddle Health Care Group.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

About the Author: Sumaya M. Noush

Sumaya Noush counsels health care clients on strategic and operational matters, including transactions, corporate governance and regulatory compliance. View Sumaya's full bio on the Faegre Drinker website.

Receive Email Alerts to New Articles

SUBSCRIBE

November 12, 2019
Written by: Sumaya M. Noush
Category: HIPAA
Tags: EPHI, HHSC, HIPAA, OCR

Post navigation

Previous Previous post: $3 Million OCR HIPAA Settlement Due to Lost Flash Drive and Stolen Laptop
Next Next post: FTC Opinion Holds False Express Privacy Claims are Material

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT