July 15, 2020

Volume X, Number 197

July 14, 2020

Subscribe to Latest Legal News and Analysis

July 13, 2020

Subscribe to Latest Legal News and Analysis

Texas Health and Human Services Fined $1.6 Million for HIPAA Violations

The Office for Civil Rights (OCR) announced that it has fined the Texas Health and Human Services Commission (TXHHS) $1.6 million for HIPAA violations. This is one of the few fines the OCR has levied against a state agency.

The fine centers around a data breach that TXHHS self-reported to the OCR in June 2015 regarding the personal health information (PHI) of 6,617 individuals that was viewed over the Internet. The information that is publicly accessible includes the individuals’ names, addresses, Social Security numbers and treatment information.

The OCR found that in addition to the data breach, TXHHS failed to conduct an enterprise-wide security risk analysis, failed to implement access and audit controls on the information technology system, and was unable to determine how many people accessed the PHI while it was publicly accessible.

The fines imposed were for violations that occurred from 2013 to 2019 and were for the maximum amounts proposed by the OCR to be assessed against TXHHS. Although the OCR provided TXHHS with the opportunity to provide “written evidence of mitigating factors or affirmative defenses and/or written evidence in support of a waiver of a CMP within thirty (30) days from the date of the receipt of the letter,” TXHHS did not respond.

According to the OCR, “No one should have to worry about their private health information being discoverable through a Google search.”

Copyright © 2020 Robinson & Cole LLP. All rights reserved.National Law Review, Volume IX, Number 325


About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...