HHS Whacks Texas HHS

Texas Health and Human Services Commission (TXHHS) got a $1.6 million fine for disclosing the ePHI of over 6,000 individuals. TXHHS failed to comply with numerous HIPAA requirements including access controls and audit controls, and failure to perform a HIPAA Security Rule risk analysis.

The fines imposed were for violations that occurred from 2013 to 2019 and were for the maximum amounts proposed by the OCR to be assessed against TXHHS. Although the OCR provided TXHHS with the opportunity to provide “written evidence of mitigating factors or affirmative defenses and/or written evidence in support of a waiver of a CMP within thirty (30) days from the date of the receipt of the letter,” TXHHS did not respond.

Significantly, they not only failed to respond to an opportunity to remediate the problemm but did not perform a risk analysis until two years after the breach.

The moral to the story is do your risk assessments (We do them quarterly), remediate risks when found, and if HHS and OCR come knocking, answer the door.