This afternoon, the Office for Civil Rights announced its second HIPAA enforcement this week - this time, with a governmental agency.
The Texas Health and Human Services Commission (TX HHSC) received a $1.6 million civil monetary penalty from the OCR for HIPAA Privacy and Security violations committed by the Texas Department of Aging and Disability Services (DADS), which is now part of TX HHSC.
In 2015, DADS notified OCR of a breach after it discovered that the ePHI for 6,617 individuals was accessible via the internet. OCR explains:
Jackson Health System (JHS), a not-for-profit medical system in Miami, entered a $2.15 million settlement with the OCR to resolve potential violations of the Security and Breach Notification Rules.
In January 2013, JHS lost paper records for 756 patients. JHS reported this breach to the OCR in August 2013. During its investigation, JHS learned that three additional boxes of records affecting 1,436 patients were lost in December 2012; and JHS reported this breach to the OCR in June 2016.
In February 2016, JHS notified the OCR that an employee inappropriately accessed 24,000 patient records since 2011, and sold some patient PHI.
Upon investigating, the OCR found: