The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

UT Southwestern Medical Center Announces Data Disclosure

Posted By on May 17, 2015

The UT Southwestern Medical Center has inadvertently breached Health Insurance Portability and Accountability Act and state privacy laws after accidentally transmitting the immunization records of 1,032 individuals to a confidential state registry.

The data was posted to the ImmTrac immunization database, used by the Texas Department of State Health Services, school districts and physicians to keep a check on children’s immunizations to ensure they have been performed.

The database contains over 120 million immunization records, mostly for children although some adults have data recorded on the system. Access to ImmTrac is strictly controlled and only authorized individuals would have been able to view the information uploaded. Under Texan law, written authorization must be obtained from the patient before any data is shared statewide ImmTrac users.

The information started being transmitted on January 9, 2015 after a routine computer upgrade was performed. Russell Rian, a spokesperson for UTSW, said in a statement the transmission was the result of a “computer glitch.” At no point was the information viewable by the public or by any unauthorized user, and the data was securely encrypted before it was transferred to the database.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The problem came to light following an inquiry from a patient after it appears that some information was shared. The subsequent investigation launched by UTSW revealed over 1,000 records had been sent. UTSW contacted the Texas Department of State Health Services and the data has now been deleted from the system. No further viewing of that information is possible.

It is not clear how many individuals viewed the uploaded healthcare data during the time that it was viewable. According to UTSW’s interim privacy officer, Pamela Bennett, “There is a very low probability that the information disclosed was compromised.”

Under HIPAA, covered entities are not permitted to disclose confidential Protected Health Information (PHI) without prior authorization from patients. If PHI – which includes immunization records – was transmitted with PII it is a violation of HIPAA Rules. In this case, since health information was added to the database and this information was directly tied to an individual this violates both HIPAA.

UTSW has issued notification letters to all affected individuals and has taken steps to ensure that similar breaches do not occur in the future.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist