HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

UT Southwestern Medical Center Announces Data Disclosure

The UT Southwestern Medical Center has inadvertently breached Health Insurance Portability and Accountability Act and state privacy laws after accidentally transmitting the immunization records of 1,032 individuals to a confidential state registry.

The data was posted to the ImmTrac immunization database, used by the Texas Department of State Health Services, school districts and physicians to keep a check on children’s immunizations to ensure they have been performed.

The database contains over 120 million immunization records, mostly for children although some adults have data recorded on the system. Access to ImmTrac is strictly controlled and only authorized individuals would have been able to view the information uploaded. Under Texan law, written authorization must be obtained from the patient before any data is shared statewide ImmTrac users.

The information started being transmitted on January 9, 2015 after a routine computer upgrade was performed. Russell Rian, a spokesperson for UTSW, said in a statement the transmission was the result of a “computer glitch.” At no point was the information viewable by the public or by any unauthorized user, and the data was securely encrypted before it was transferred to the database.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The problem came to light following an inquiry from a patient after it appears that some information was shared. The subsequent investigation launched by UTSW revealed over 1,000 records had been sent. UTSW contacted the Texas Department of State Health Services and the data has now been deleted from the system. No further viewing of that information is possible.

It is not clear how many individuals viewed the uploaded healthcare data during the time that it was viewable. According to UTSW’s interim privacy officer, Pamela Bennett, “There is a very low probability that the information disclosed was compromised.”

Under HIPAA, covered entities are not permitted to disclose confidential Protected Health Information (PHI) without prior authorization from patients. If PHI – which includes immunization records – was transmitted with PII it is a violation of HIPAA Rules. In this case, since health information was added to the database and this information was directly tied to an individual this violates both HIPAA.

UTSW has issued notification letters to all affected individuals and has taken steps to ensure that similar breaches do not occur in the future.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.