Children’s Medical Center of Dallas (Children’s) was hit with a $3.2 million civil penalty from the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) for failing to take steps to properly protect patient medical information. The civil penalty is the result of two data breaches caused by a lack of encryption and what was described as the hospital’s “non-compliance over many years with multiple standards of the HIPAA Security Rule.”
The first data breach, reported on January 18, 2010, involved the loss of an unencrypted, non-password protected smartphone containing approximately 3,800 individuals’ electronic protected health information (ePHI). The smartphone was lost at an airport. The second breach, reported on July 5, 2013, involved the theft from the hospital of an unencrypted laptop containing the ePHI of 2,462 patients.
The OCR’s investigation found that Children’s engaged a third party to conduct a security gap analysis and assessment in 2007. The assessment identified the absence of risk management as a major finding and recommended that Children’s implement encryption to avoid loss of ePHI on stolen or lost laptops. A separate third party analysis in 2008 again indicated that a mechanism was not in place to protect ePHI. The 2008 report identified data encryption as a “high priority” item and recommended that Children’s implement data encryption in the fourth quarter of 2008.
The OCR determined that the 2007 and 2008 analyses demonstrated Children’s actual knowledge of the risks to its unencrypted ePHI. Despite this knowledge, the OCR found that Children’s continued to issue unencrypted smartphone devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until at least April 9, 2013.
In determining the amount of the penalty, the OCR considered the following to be “aggravating factors” militating against a lower penalty:
The amount of time that Children’s continued to use unencrypted devices even after it had actual knowledge that encryption was necessary to ensure the security of ePHI.
Children’s prior history of non-compliance with the Privacy and Security Rules.
The OCR’s determination highlights the need for an organization to address in a timely manner the risks that are brought to its attention. It is not enough to conduct a risk assessment. An organization must also manage the identified risks and, going forward, take reasonable steps to mitigate against them.
The OCR’s press release emphasizes the importance of timely, proactive action: “Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential” said OCR Acting Director Robinsue Frohboese. “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”
Notably, Children’s failed to request a hearing in response to the Notice of Proposed Determination. In such circumstances, notice recipients typically request a hearing and proceed to negotiate a settlement. However, Children’s did not request a hearing. Consequently, the Notice of Proposed Determination became final, resulting in the imposition of the determined civil monetary penalty.