| 2 | 3 | | |
|---|
| 3 | 4 | | |
|---|
| 4 | 5 | | SENATE CONCURRENT RESOLUTION |
|---|
| 5 | 6 | | WHEREAS, On June 11, 2015, the Department of Aging and |
|---|
| 6 | 7 | | Disability Services ("DADS"), a "covered entity" under Privacy, |
|---|
| 7 | 8 | | Security, and Breach Notification Rules ("HIPAA Rules"), filed a |
|---|
| 8 | 9 | | breach notification report with the United States Department of |
|---|
| 9 | 10 | | Health and Human Services, Office for Civil Rights ("OCR") stating |
|---|
| 10 | 11 | | that an impermissible disclosure of unsecured electronic protected |
|---|
| 11 | 12 | | health information (ePHI) in violation of HIPAA Rules had occurred |
|---|
| 12 | 13 | | when a DADS web application was accessible to unauthorized parties; |
|---|
| 13 | 14 | | and |
|---|
| 14 | 15 | | WHEREAS, On July 23, 2015, OCR notified DADS of its |
|---|
| 15 | 16 | | investigation of DADS compliance with the HIPAA Rules and |
|---|
| 16 | 17 | | determined that: |
|---|
| 17 | 18 | | a. DADS failed to conduct an accurate and thorough |
|---|
| 18 | 19 | | assessment of the potential risks and vulnerabilities to the |
|---|
| 19 | 20 | | confidentiality, integrity, and availability of ePHI held by the |
|---|
| 20 | 21 | | covered entity. (See 45 C.F.R. Section 164.308(a)(1)(ii)(A)) |
|---|
| 21 | 22 | | b. DADS failed to implement appropriate technical |
|---|
| 22 | 23 | | policies and procedures for electronic information systems that |
|---|
| 23 | 24 | | maintain electronic protected health information to allow access |
|---|
| 24 | 25 | | only to those persons or software programs that have been granted |
|---|
| 25 | 26 | | access rights as specified in 45 C.F.R. Section 164.308(a)(4). |
|---|
| 26 | 27 | | (See 45 C.F.R. Section 164.312(a)(1)) |
|---|
| 27 | 28 | | c. DADS failed to implement appropriate hardware, |
|---|
| 28 | 29 | | software, and/or procedural mechanisms that record and examine |
|---|
| 29 | 30 | | activity in information systems that contained or used ePHI. (See |
|---|
| 30 | 31 | | 45 C.F.R. Section 164.312(b)) |
|---|
| 31 | 32 | | d. As a result of its failure to appropriately |
|---|
| 32 | 33 | | safeguard the ePHI in a web-based application, DADS impermissibly |
|---|
| 33 | 34 | | disclosed the ePHI of up to 6,617 individuals. (See 45 |
|---|
| 34 | 35 | | C.F.R. Section 164.502(a)); and |
|---|
| 35 | 36 | | WHEREAS, OCR presented the State of Texas a Resolution |
|---|
| 36 | 37 | | Agreement with Corrective Action Plan (the "Settlement Agreement") |
|---|
| 37 | 38 | | in lieu of civil monetary penalties and to provide DADS an |
|---|
| 38 | 39 | | opportunity to correct DADS's failures to safeguard ePHI; and |
|---|
| 39 | 40 | | WHEREAS, The State of Texas has presented a counter-proposal |
|---|
| 40 | 41 | | to the Settlement Agreement to OCR that applies to those covered |
|---|
| 41 | 42 | | functions and information resources involved in the breach that |
|---|
| 42 | 43 | | were formerly operated by DADS but that have been transferred to the |
|---|
| 43 | 44 | | Health and Human Services Commission ("TX HHS"); and |
|---|
| 44 | 45 | | WHEREAS, The proposed Settlement Agreement comprises the |
|---|
| 45 | 46 | | following terms and conditions: |
|---|
| 46 | 47 | | Payment. TX HHS agrees to pay the amount of |
|---|
| 47 | 48 | | $1,600,000.00. |
|---|
| 48 | 49 | | Corrective Action Plan. TX HHS has entered into and |
|---|
| 49 | 50 | | agrees to comply with a Corrective Action Plan ("CAP"). If TX HHS |
|---|
| 50 | 51 | | breaches the CAP, and fails to cure the breach as set forth in the |
|---|
| 51 | 52 | | CAP, then TX HHS will be in breach of the Settlement Agreement and |
|---|
| 52 | 53 | | OCR will not be subject to the release set forth in the Settlement |
|---|
| 53 | 54 | | Agreement. Compliance with the RA/CAP of the Settlement Agreement |
|---|
| 54 | 55 | | by TX HHS is conditioned upon TX HHS obtaining the approval of, and |
|---|
| 55 | 56 | | appropriation of funds needed to comply with, the RA/CAP by the |
|---|
| 56 | 57 | | Legislature of the State of Texas. (See Texas Civil Practice and |
|---|
| 57 | 58 | | Remedies Code Section 111.003(b)). The term of the Corrective |
|---|
| 58 | 59 | | Action Plan will be three (3) years from the effective date of the |
|---|
| 59 | 60 | | proposed agreement. |
|---|
| 60 | 61 | | Release by OCR. In consideration of and conditioned |
|---|
| 61 | 62 | | upon performance by TX HHS of its obligations under the proposed |
|---|
| 62 | 63 | | Settlement Agreement, OCR releases TX HHS from any actions it may |
|---|
| 63 | 64 | | have against TX HHS under the HIPAA Rules arising out of or related |
|---|
| 64 | 65 | | to the conduct identified in paragraph 2 of this concurrent |
|---|
| 65 | 66 | | resolution. OCR does not release TX HHS from, nor waive any rights, |
|---|
| 66 | 67 | | obligations, or causes of action other than those arising out of or |
|---|
| 67 | 68 | | related to said conduct and referred to in this paragraph. |
|---|
| 68 | 69 | | Agreement by Released Parties. TX HHS shall not contest |
|---|
| 69 | 70 | | the validity of its obligation to pay, nor the amount of, the |
|---|
| 70 | 71 | | Resolution Amount or any other obligations agreed to under the |
|---|
| 71 | 72 | | proposed Settlement Agreement. TX HHS waives all procedural rights |
|---|
| 72 | 73 | | granted under Section 1128A of the Social Security Act (42 |
|---|
| 73 | 74 | | U.S.C. Section 1320a-7a); and 45 C.F.R. Part 160, Subpart E; and |
|---|
| 74 | 75 | | claims collection regulations at 45 C.F.R. Part 30, including, but |
|---|
| 75 | 76 | | not limited to, notice, hearing, and appeal with respect to the |
|---|
| 76 | 77 | | Resolution Amount; and |
|---|
| 77 | 78 | | WHEREAS, Section 111.003(a)(2), Civil Practice and Remedies |
|---|
| 78 | 79 | | Code, requires the legislature to approve a settlement of a claim or |
|---|
| 79 | 80 | | action against the state if the settlement commits the state to a |
|---|
| 80 | 81 | | course of action that in reasonable probability will entail a |
|---|
| 81 | 82 | | continuing increased expenditure of state funds over subsequent |
|---|
| 82 | 83 | | state fiscal biennia; and |
|---|
| 83 | 84 | | WHEREAS, The CAP of the proposed agreement commits the State |
|---|
| 84 | 85 | | of Texas to a course of action that in reasonable probability |
|---|
| 85 | 86 | | entails a continuing increased expenditure of state funds over |
|---|
| 86 | 87 | | subsequent state fiscal biennia; now, therefore, be it |
|---|
| 87 | 88 | | RESOLVED, That the 86th Legislature of the State of Texas |
|---|
| 88 | 89 | | hereby approve the proposed Settlement Agreement. |
|---|