This afternoon, the Office for Civil Rights announced its second HIPAA enforcement this week - this time, with a governmental agency.
The Texas Health and Human Services Commission (TX HHSC) received a $1.6 million civil monetary penalty from the OCR for HIPAA Privacy and Security violations committed by the Texas Department of Aging and Disability Services (DADS), which is now part of TX HHSC.
In 2015, DADS notified OCR of a breach after it discovered that the ePHI for 6,617 individuals was accessible via the internet. OCR explains: "The breach occurred when an internal application was moved from a private, secure server to a public server and a flaw in the software code allowed access to ePHI without access credentials."
When it investigated the breach, OCR found:
- DADS did not conduct an enterprise-wide HIPAA Security risk analysis
- DADS' information systems and applications lacked access and audit controls (making it impossible for DADS to identify how many people inappropriately viewed the ePHI).
When was your last HIPAA Security Risk Analysis?
Out of the seven HIPAA resolution agreements issued by the OCR in 2019, five involved covered entities or business associates who failed to conduct a sufficient HIPAA Security risk analysis.
If your organization has not conducted a HIPAA Security risk analysis - or if you have not revisited that analysis within the past year or since your IT environment or PHI uses have changed - it's time to conduct one (and mitigate the risks and vulnerabilities you find).