- HHS' Office of Civil Rights has imposed a $1.6 million fine against another government agency, the Texas Health and Human Services Commission (THHSC). It’s also the second seven-figure penalty imposed by OCR in recent days: It fined University of Rochester Medical Center $3 million on Nov. 5.
- The Texas fine was related to the breach of protected health information involving more than 6,600 individuals by the Texas Department of Aging and Disability Services (DADS).
- An investigation also determined DADS had failed to conduct an enterprise-wide risk analysis, or implement proper controls on its data, as required under HIPAA. The same conclusion was reached in the Rochester Medical Center case.
The fines came even though HHS earlier this year made administrative moves to reduce overall fines for HIPAA violations.
Many healthcare organizations miss small details when storing or migrating patient data. This can lead to breaches of protected health information — and a huge financial penalty. However, executives at many organizations are often unaware they may not be properly prepared.
That was the case with DADS. In 2015 the agency moved an internal application from a private to a public server. However, a flaw in the coding software allowed public access to the names, addresses, Social Security numbers, and medical data for 6,617 people. The breach was compounded by the fact that due to its lack of an enterprise-risk analysis, DADS officials could not determine how many people accessed the information when it was publicly available.
As a result, OCR fined THHSC $100,000 for the breach of data, and $500,000 apiece for its lack of risk analysis, audit and risk controls.
The University of Rochester Medical Center fine was for the 2013 loss of patient data on an unencrypted flash drive and a 2017 loss of data on an unencrypted laptop computer — fairly common ways protected health information is breached. Merely encrypting such devices releases providers of liability.
The laptop involved data for 43 patients; it was not specific how many patients were exposed with the loss of the flash drive. However, OCR noted that not only did Rochester Medical Center fail to encrypt such devices, it also failed to conduct an enterprise-wide risk analysis and utilize controls over its devices and media, among other violations. There was no specific breakdown for the application of the fine.
Meanwhile, a recent survey by Integris Health revealed the disconnect between what healthcare executives believe the level of cybersecurity is at their organization and the reality. More than two-thirds were extremely or very confident in their organization’s ability to protect PHI. Nevertheless, healthcare led all industries last year in cybersecurity breaches.