When it comes to the HIPAA Security Rule, even State Agencies aren’t exempt.

A Texas health agency failed to follow Health Insurance Portability and Accountability Act (HIPAA) rules, leading to a $1.6 million penalty.

HIPAA Security Rule Breach Caused By Information Technology Mistake

In 2015, The Department of Aging and Disability Services (DADS), a division of the Texas Health and Human Services Commission, reported a HIPAA Security Rule breach in its digital information system.

A misconfigured server compromised the electronic private health information (ePHI) of over 6,000 physically and mentally disabled patients.

The Office for Civil Rights, the federal agency responsible for investigating HIPAA violations, announced the action against TX HHSC on November 7, 2019.

The HIPAA Security Rule

The HIPAA Security Rule is a federal law that ensures Covered Entities, and Business Associates protect patient health data from unauthorized access.

The HIPAA Security Rule breach made the records easily searchable on the internet.

Covered entities need to know who can access protected health information in their custody at all times,” said OCR Director Roger Severino. “No one should have to worry about their private health information being discoverable through a Google search.

–Roger Severino, Office for Civil Rights Director

HIPAA Security Rule Violations Signal Other Problems

As usual, when the OCR launched an investigation into the HIPAA Security Rule breach, it found more problems.

DADS, it was discovered, failed to conduct an enterprise-wide Risk Analysis.

DADS also failed to provide access and audit controls on its information systems and applications, as required by HIPAA Security Rule.

Details of the case can be found at the Federal Health and Human Services website.

How would your agency fare in an OCR Audit? What would you do if you discovered a HIPAA Security Breach at your organization? Are you performing regular HIPAA Risk Analyses?

If your answers are less-than-comforting, we’re here to help.