The United States Department of Health and Human Services (HHS) recently announced it was fining a Texas agency $1.6 million. The HHS fined the agency due to allegations it violated the Health Insurance and Portability Accountability Act of 1996 (HIPAA).
What was the violation?
According to the HHS, Texas Health and Human Services Commission was the subject of the fine. The penalty is the result of an event that occurred in 2015. At that time, the agency’s Department of Aging and Disability Services (DADS) reported a breach. The report states that DADS accidentally moved private patient information onto a public server. As a result, there were concerns the general public could access private patient information with a simple Google search. The breach affected 6,617 people.
The breach led to a federal investigation. During the investigation, the government discovered the state agency had failed to conduct adequate risk analysis. This allegedly led to “inadequate audit controls” ultimately leading to HIPAA violations.
What can other health organizations learn from this case?
The government expects health organizations that are required to provide HIPAA protections to be aware of who within the organization can access patient information and conduct regular risk analysis reviews. Organizations, like DADS, that fail to take adequate steps to protect this information can find themselves facing a hefty fine.
Those facing similar allegations have options. In some cases, the subject of the allegations can request a hearing before an administrative law judge (ALJ) and request a petition for relief. This can provide an opportunity for the organization to fight back against the claims. The right course of option will depend on the details of the allegations. An attorney experienced in these matters can discuss the benefits and risks of this and other options.