On November 7, 2019, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) imposed a $1.6 million civil money penalty (CMP) against the Texas Health and Human Services Commission (TX HHSC) for violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.    

This is the second CMP announced by OCR within the past several weeks. The vast majority of OCR HIPAA announcements are settlements between OCR and the alleged offending party. The November 7 announcement is also noteworthy because the TX HHSC is a state entity.

The October 25, 2019 Notice of Final Determination noted the TX HHSC agreed to pay the CMP in full and does not contest the findings in OCR’s July 29, 2019 Notice of Proposed Determination. As a state health agency, TX HHSC regulates child care and long-term care centers, provides mental health and substance abuse treatment, facilitates care for the aging and disabled, and administers numerous public health programs, such as Medicaid.  In September 2017, the functions of the Texas Department of Aging and Disability Services (DADS) were shifted to the TX HHSC.

In June 2015, DADS submitted a breach report to OCR after discovering a security vulnerability on a web-based application related to the State of Texas’ Community Living Assistance and Support Services and Deaf Blind with Multiple Disabilities (the CLASS/DBMD) program. The software application collected and transmitted utilization management and review information to the Centers for Medicare and Medicaid Services (CMS) related to the CLASS/DBMD waiver programs.  DADS was responsible for transmitting CLASS/DBMD waiver performance data to CMS, including the electronic protected health information (ePHI), of 6,617 patients.  The application was housed on a public server and permitted unauthorized users to access ePHI without verifying user credentials. 

In response to the breach report, OCR began a broader HIPAA compliance review of TX HHSC.  OCR’s review determined that: (1) TX HSSC impermissibly disclosed the ePHI of at least 6,617 individuals; (2) TX HHSC failed to implement access controls (i.e., requiring users to provide credentials to gain access to ePHI contained in the CLASS/DBMD application); (3) TX HHSC failed to implement audit controls to ensure that the CLASS/DBMD application was capable of auditing user access after it was moved to an unsecure public server; and (4) TX HSSC failed to conduct an agency-wide security risk analysis.

In May 2018, OCR issued a Letter of Opportunity to TX HHSC outlining these HIPAA compliance issues and providing TX HHSC with an opportunity to submit additional written evidence of mitigating favors or affirmative defenses. TX HHSC declined to provide such evidence, and, thereafter, OCR proceeded with its Notice of Proposed Determination.  The Notice of Proposed Determination determined there was “reasonable cause” for the violations (as opposed to “willful neglect”) and set the penalties accordingly, including an analysis of the length of time for the various HIPAA violations.   

This CMP is an important reminder that all HIPAA covered entities – including state agencies – are obligated to safeguard ePHI and must have knowledge of who has the ability to access their ePHI at any given time.  All covered entities should review their policies and processes with respect to abiding by the HIPAA Privacy and Security rules to ensure their timely and complete and ongoing compliance, including when any software or hardware systems are updated.