The Oklahoma Department of Human Services had a data breach in April 2016. After discovering the breach, Oklahoma DHS notified the people impacted by the breach and the DHS’ Office of Inspector General, but not the HHS’ Office for Civil Rights. Oklahoma DHS only notified the OCR 18 months after the 60-day time period required in the HIPAA Breach Notification Rule. This was a clear case of HIPAA Rules violation.
The breach in April 2016 was due to the access by an unauthorized person of a computer at Carl Albert State College in Poteau, Oklahoma. The computer kept the records of past and present Temporary Assistance for Needy Families clients. Potentially exposed information included names, dates of birth, addresses and Social Security numbers. When Carl Albert State College knew about the breach, it secured its systems and employed new controls to prevent further potential breaches.
In May 2016, the HHS Office of Inspector General received the breach notification. The individuals impacted by the breach received notification in August 2016. The HHS’ Office for Civil Rights did not get any notification. To satisfy the HIPAA Breach Notification Rule, the OCR required the Oklahoma Department of Human Services to notify again the 47,000 clients of the Temporary Assistance for Needy Families. Aside from spending additional money for the re-notification of 47,000 people, the Oklahoma DHS is also at risk of paying a big fine for overlooking the HIPAA requirement to notify the OCR Secretary.
OCR has just demonstrated early this year its seriousness in implementing the HIPAA Breach Notification Rule when it slapped a $475,000 fine on Presense Health for unnecessarily delaying the issuance of breach notification letters. Presense Health only sent the notification letters one-month after the 60-day deadline set in the Breach Notification Rule.