The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services imposed a $1.6 million civil money penalty (CMP) against the Texas Health and Human Services Commission, Department of Aging and Disability Services (HHSC) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHSC is a Texas state agency headquartered in Austin, Texas that is responsible for the delivery of benefits and services in Texas for several programs including Medicaid for families and children, long-term care for people who are older or who have disabilities, behavioral health services, and services for women and other people with special health needs.

HHSC submitted a HIPAA Breach Notification Report to OCR on June 11, 2015, regarding the discovery of a security vulnerability in a web-facing application designed for the Community Living Assistance and Support Services and Deaf Blind with Multiple Disabilities (CLASS/DBMD) program. The CLASS/DBMD program is designed to collect and report information regarding utilization management and review activities to the Centers for Medicare & Medicaid Services on the CLASS/DBMD waiver programs. HHSC reported that the CLASS/DBMD application compromised electronic protected health information (ePHI) by allowing an undetermined number of unauthorized users to view the ePHI without verifying user-credentials on HHSC’s public server. HHSC confirmed that the CLASS/DBMD application contained the names, residences, addresses, Social Security and Medicaid numbers, and treatment or diagnosis information that belonged to 6,617 individuals. HHSC became aware of the unauthorized access only after a user accessed the ePHI in the application without first being required to input his or her user credentials and alerted HHSC of the same.

On July 29, 2019, OCR issued a Notice of Proposed Determination to HHSC that that proposed to impose a CMP of $1.6 million for HHSC failures to:

1. Implement access controls on all of its systems and applications.

2. Implement audit controls of its systems and applications, such as the application involved in the breach.

3. Conduct an agency-wide accurate and thorough risk assessment.

According to the Notice of Final Determination, HHSC did not contest OCR’s findings and agreed to pay the $1.6 million CMP.

This is the second OCR Notice of Final Determination announced in the last month. The last OCR Notice of Final Determination announcement was reported on October 15, 2019, against Jackson Health System for $2.15 million. More details on that matter is available in this DBR on Data post. The HHSC and Jackson Health System fines serve as a reminder that OCR is actively investigating and instituting enforcement actions against companies that suffer data breaches as a result of arguably inferior data security protocols. Health care businesses would be wise to revisit their own protocols to ensure that they meet industry and regulatory standards

If you have any comments or questions about this OCR Notice of Final Determination or would like to discuss HIPAA compliance more generally, please reach out to any member of the Drinker Biddle Health Care Group.