Last month there were several HIPAA Enforcement Actions taken by the U.S. Department of Health and Human Services Office for Civil Rights (OCR), one of which was as a result of an inadequate risk assessment.
The Office for Civil Rights has imposed a 1.6 million dollar civil money penalty against the Texas Health and Human Services Commission (TX HHSC) for HIPAA violations. TX HHSC operates state supported living centers; provides mental health and substance use services; regulates child care and nursing facilities; and administers hundreds of programs for people who need assistance.
TX HHSC reported a breach to the OCR in June of 2015, stating that over 6,000 individual’s electronic protected health information (ePHI) had been accessible on the internet. The breach was discovered by a user who was able to access ePHI without entering credentials. This was made possible when a application was moved from a private secure server to a public server. During the OCR’s investigation, they determined that in part the lack of a enterprise wide risk analysis had lead to the breach.
You can find more information on this breach and other recent HIPAA Enforcement Actions at the links provided below.