HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Employee Sent PHI After Being Fired

A bizarre mistake by the Texas Health and Human Services Commission has seen a former employee sent the protected health information of approximately 100 patients after she had been fired. She was sent boxes containing items that had been collected from her old desk, but was also sent a box of benefits application forms.

After Tracy Ryans, 51, of Houston, was terminated, HHSC mailed her two boxes containing her personal items, which were left on her porch by the delivery driver. One of the boxes contained personal belongings that included pens, a coffee cup, and old shoes. The other box contained paperwork.

Ryans told the Texas Tribune that one of the boxes contained personal items that did not belong to her. They had been taken from a desk she shared with coworkers. The other box was full of paperwork containing highly sensitive personal information of clients.

The paperwork included benefits applications that included the Social Security numbers, billing statements, copies of driver’s licenses, and check stubs relating to approximately 100 individuals. The documents were dated April 13, 2018 – 15 days after Ryans had been terminated.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Ryans contacted the Texas State Employees Union to seek advice about what she should do with the paperwork, after becoming concerned that she might be accused of stealing the documents. She was given assistance returning the paperwork to HHSC.

The reason for Ryans termination after 9 years working for HHSC was an alleged failure to ensure the security of client information and violating HIPAA Rules – something Ryans denies. The mailing of PHI to Ryans, who had no legal right to hold the information, would be considered a violation of HIPAA Rules in itself. However, at this stage HHSC has yet to confirm what sensitive information was detailed in the documents and whether HIPAA Rules had been accidentally violated.

The incident is currently being investigated by HHSC and the potential privacy breach has been reported to the Office of Inspector General. If it is confirmed that sensitive information was exposed and HIPAA Rules were violated, steps will be taken to remedy the breach and affected individuals will be notified.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.