UT Southwestern Medical Center Announces Data Disclosure
The UT Southwestern Medical Center has inadvertently breached Health Insurance Portability and Accountability Act and state privacy laws after accidentally transmitting the immunization records of 1,032 individuals to a confidential state registry.
The data was posted to the ImmTrac immunization database, used by the Texas Department of State Health Services, school districts and physicians to keep a check on children’s immunizations to ensure they have been performed.
The database contains over 120 million immunization records, mostly for children although some adults have data recorded on the system. Access to ImmTrac is strictly controlled and only authorized individuals would have been able to view the information uploaded. Under Texan law, written authorization must be obtained from the patient before any data is shared statewide ImmTrac users.
The information started being transmitted on January 9, 2015 after a routine computer upgrade was performed. Russell Rian, a spokesperson for UTSW, said in a statement the transmission was the result of a “computer glitch.” At no point was the information viewable by the public or by any unauthorized user, and the data was securely encrypted before it was transferred to the database.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The problem came to light following an inquiry from a patient after it appears that some information was shared. The subsequent investigation launched by UTSW revealed over 1,000 records had been sent. UTSW contacted the Texas Department of State Health Services and the data has now been deleted from the system. No further viewing of that information is possible.
It is not clear how many individuals viewed the uploaded healthcare data during the time that it was viewable. According to UTSW’s interim privacy officer, Pamela Bennett, “There is a very low probability that the information disclosed was compromised.”
Under HIPAA, covered entities are not permitted to disclose confidential Protected Health Information (PHI) without prior authorization from patients. If PHI – which includes immunization records – was transmitted with PII it is a violation of HIPAA Rules. In this case, since health information was added to the database and this information was directly tied to an individual this violates both HIPAA.
UTSW has issued notification letters to all affected individuals and has taken steps to ensure that similar breaches do not occur in the future.