In November, the HHS Office for Civil Rights (OCR) announced three enforcement actions of more than $1 million each.[1]
The smallest of the three is with the Texas Health and Human Services Commission (HHSC), for a civil money penalty (CMP) of $1.6 million.[2] In contrast to the other two, OCR imposed the fine, and it is not accompanied by a corrective action plan (CAP). The two settlement agreements are with Sentara Hospitals of Virginia ($2.175 million) and the University of Rochester Medical Center ($3 million).
Texas’s payment being a CMP is unusual, but there are several other twists in the story. Earlier this year it appeared destined to sign a voluntary settlement with a CAP. But that doesn’t mean Texas is getting off cheap by not having to implement a costly CAP.
The state has committed to spending more than $20 million over two years enhancing security, another example of infrastructure investments organizations believe are essential to safeguarding their protected health information (PHI)—sometimes only after the fact of a breach and a fine.
The notice of proposed determination and final determination documents that OCR released also give insights into the agency’s thought process and how it responds to certain investigative findings.
OCR’s action was triggered by a 2015 breach that exposed PHI of 6,617 individuals on the internet, apparently for eight years before the information was discovered and removed.
The breach involved the state’s Department of Aging and Disability Services (DADS), which was dissolved in 2017 and absorbed by the HHSC. The enforcement documents generally refer to HHSC as the subject of the OCR action.