The U. S. Department of Health and Human Services, the Office of Civil Rights (OCR) of has announced civil money penalty against Children’s Medical Centre of Dallas (Children’s) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and this based on its impermissible disclosure of unsecured electronic protected health information (ePHI) and non-compliance over many years with multiple standard of the HIPAA Security Rule. A noticed of proposed Determination in accordance with 45 CFR 160.420 was issued by OCR and the notice included instruction for how Children’s could file a request for a hearing. Accordingly, OCR issued another Notice of Final Determination and Children’s paid the full civil money penalty of $3.2 million. Children’s pediatric hospital in Dallas, Texas, which is part of Children’s Health, and the seventh-largest pediatric health care provider in the nation.
Children’s with OCR on January 18, 2010, file a breach report to indicate the loss of an unencrypted, non-password BlackBerry device at the Dallas/Fort Worth International Airport on November 19, 2009. The device contained the ePHI of approximately 3,800 individuals. Another HIPAA breach Notification Report was filed separate by Children with OCR, this reports the theft of an unencrypted laptop from its premises between April 4 and April 9, 2013. The Children’s also reported a device contained the ePHI of 2,462 individuals, though they implemented some physical safeguards to the laptop storage area (e.g., badge access and a security camera at one of the entrances), it also provided access to the area to the workforce not authorized to access ePHI.
The OCR’s investigation revealed the Children’s noncompliance with HIPAA Rules, specifically, their failure to implement risk management plans, which was contrary to prior external recommendations to do so, also a failure to deploy encryption or an equivalent alternative measure on all of its laptops, workstations, mobile devices and removable storage media until April 9, 2013. Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013, which shows that they have knowledge about the risk of maintaining unencrypted ePHI on its devices as far back as 2007. According to OCR Acting Director Robinsue Frohboese who said “Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them”, He furthers that, “OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”
OCR Notice of Final Determination – Children’s Notice of final determination