S.C.R. No. 21
SENATE CONCURRENT RESOLUTION
WHEREAS, On June 11, 2015, the Department of Aging and
Disability Services ("DADS"), a "covered entity" under Privacy,
Security, and Breach Notification Rules ("HIPAA Rules"), filed a
breach notification report with the United States Department of
Health and Human Services, Office for Civil Rights ("OCR") stating
that an impermissible disclosure of unsecured electronic protected
health information (ePHI) in violation of HIPAA Rules had occurred
when a DADS web application was accessible to unauthorized parties;
and
WHEREAS, On July 23, 2015, OCR notified DADS of its
investigation of DADS compliance with the HIPAA Rules and
determined that:
a. DADS failed to conduct an accurate and thorough
assessment of the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of ePHI held by the
covered entity. (See 45 C.F.R. Section 164.308(a)(1)(ii)(A))
b. DADS failed to implement appropriate technical
policies and procedures for electronic information systems that
maintain electronic protected health information to allow access
only to those persons or software programs that have been granted
access rights as specified in 45 C.F.R. Section 164.308(a)(4).
(See 45 C.F.R. Section 164.312(a)(1))
c. DADS failed to implement appropriate hardware,
software, and/or procedural mechanisms that record and examine
activity in information systems that contained or used ePHI. (See
45 C.F.R. Section 164.312(b))
d. As a result of its failure to appropriately
safeguard the ePHI in a web-based application, DADS impermissibly
disclosed the ePHI of up to 6,617 individuals. (See 45
C.F.R. Section 164.502(a)); and
WHEREAS, OCR presented the State of Texas a Resolution
Agreement with Corrective Action Plan (the "Settlement Agreement")
in lieu of civil monetary penalties and to provide DADS an
opportunity to correct DADS's failures to safeguard ePHI; and
WHEREAS, The State of Texas has presented a counter-proposal
to the Settlement Agreement to OCR that applies to those covered
functions and information resources involved in the breach that
were formerly operated by DADS but that have been transferred to the
Health and Human Services Commission ("TX HHS"); and
WHEREAS, The proposed Settlement Agreement comprises the
following terms and conditions:
Payment. TX HHS agrees to pay the amount of
$1,600,000.00.
Corrective Action Plan. TX HHS has entered into and
agrees to comply with a Corrective Action Plan ("CAP"). If TX HHS
breaches the CAP, and fails to cure the breach as set forth in the
CAP, then TX HHS will be in breach of the Settlement Agreement and
OCR will not be subject to the release set forth in the Settlement
Agreement. Compliance with the RA/CAP of the Settlement Agreement
by TX HHS is conditioned upon TX HHS obtaining the approval of, and
appropriation of funds needed to comply with, the RA/CAP by the
Legislature of the State of Texas. (See Texas Civil Practice and
Remedies Code Section 111.003(b)). The term of the Corrective
Action Plan will be three (3) years from the effective date of the
proposed agreement.
Release by OCR. In consideration of and conditioned
upon performance by TX HHS of its obligations under the proposed
Settlement Agreement, OCR releases TX HHS from any actions it may
have against TX HHS under the HIPAA Rules arising out of or related
to the conduct identified in paragraph 2 of this concurrent
resolution. OCR does not release TX HHS from, nor waive any rights,
obligations, or causes of action other than those arising out of or
related to said conduct and referred to in this paragraph.
Agreement by Released Parties. TX HHS shall not contest
the validity of its obligation to pay, nor the amount of, the
Resolution Amount or any other obligations agreed to under the
proposed Settlement Agreement. TX HHS waives all procedural rights
granted under Section 1128A of the Social Security Act (42
U.S.C. Section 1320a-7a); and 45 C.F.R. Part 160, Subpart E; and
claims collection regulations at 45 C.F.R. Part 30, including, but
not limited to, notice, hearing, and appeal with respect to the
Resolution Amount; and
WHEREAS, Section 111.003(a)(2), Civil Practice and Remedies
Code, requires the legislature to approve a settlement of a claim or
action against the state if the settlement commits the state to a
course of action that in reasonable probability will entail a
continuing increased expenditure of state funds over subsequent
state fiscal biennia; and
WHEREAS, The CAP of the proposed agreement commits the State
of Texas to a course of action that in reasonable probability
entails a continuing increased expenditure of state funds over
subsequent state fiscal biennia; now, therefore, be it
RESOLVED, That the 86th Legislature of the State of Texas
hereby approve the proposed Settlement Agreement.
______________________________ ______________________________
President of the Senate Speaker of the House
______________________________ ______________________________
President of the Senate Speaker of the House
I hereby certify that S.C.R. No. 21 was adopted by the Senate
on April 17, 2019, by the following vote: Yeas 31, Nays 0.
______________________________
Secretary of the Senate
I hereby certify that S.C.R. No. 21 was adopted by the House
on May 10, 2019, by the following vote: Yeas 138, Nays 2,
two present not voting.
______________________________
Chief Clerk of the House
Approved:
______________________________
Date
______________________________
Governor