On February 1, 2017, the Department of Health and Human Services, Office for Civil Rights (“OCR”) announced that the Children’s Medical Center of Dallas (“Children’s”) has paid a civil monetary penalty (“CMP”) of $3.2 million to resolve multiple HIPAA violations over several years. This CMP announcement raises a number of questions, such as whether it was financially advantageous to choose to accept a CMP rather than a proposed financial settlement and corrective action plan, and whether imposing millions of dollars in penalties on a non-profit children’s hospital strikes the right balance of promoting compliance versus taking funds away from patient care (although OCR applied the minimum CMP amounts available for the violations).

Take-Away Considerations

• Covered entities and business associates must conduct a comprehensive risk analysis and must take steps to address gaps identified as part of the risk analysis.
• Policies and procedures should address all required elements of the Privacy and Security Rules.
• “Addressable” does not equal optional. The encryption implementation specification is addressable as opposed to required. Therefore, encryption must be implemented if, after a risk assessment, the entity has determined that the specification is a “reasonable and appropriate” safeguard in its risk management of the confidentiality, integrity, and availability of e-PHI. If the covered entity or business associate concludes that the addressable encryption implementation specification is not reasonable and appropriate, then it must document that determination and implement an equivalent alternative measure.
• Although most entities facing CMPs choose to settle, the costs of a corrective action plan may make accepting a CMP a more attractive alternative, especially if OCR is seeking the minimum level of penalties.

Summary of OCR’s Action

In January 2010, Children’s notified OCR about a breach affecting approximately 3,800 patients due to a misplaced unencrypted BlackBerry device at the Dallas/Fort Worth International Airport. Soon after, OCR initiated an investigation during which Children’s provided the results of two external security gap analyses conducted between December 2006 and August 2008. The analyses encouraged Children’s to implement encryption on portable electronic devises to reduce exposure of ePHI, noting that data encryption was a “high priority” for Children’s. Later in 2010, Children’s reported the loss of a resident’s unencrypted iPod, which permitted unauthorized access to the ePHI of at least 22 individuals.

Despite these breaches and recommendations to implement encryption, OCR alleged that Children’s carried on without implementing encryption and suffered another breach in April of 2013, when an unencrypted laptop was stolen from an operating room. Children’s notified OCR of the breach in July of 2013, estimating that breach resulted in the impermissible disclosure of ePHI for 2,462 individuals.

In the Notice of Final Determination, OCR stated that, given the external security gap analyses from 2006 and 2008, Children’s had knowledge of the risks to its unencrypted ePHI yet continued to issue mobile devices without encryption. OCR also concluded that Children’s failed to implement sufficient policies and procedures governing the receipt and removal of hardware and electronic media that contain ePHI out of its facility, and the movement of those items within the facility. OCR considered two factors in determining the amount of the CMP, namely: 1) the amount of time that Children’s continued to use unencrypted devices even after it had actual knowledge of the need for encryption; and 2) Children’s prior history of non-compliance with the Privacy and Security Rules. OCR chose to apply the minimum CMP amounts ($1,000 per violation), rather than the maximum amount ($50,000 per violation), based on the level of culpability that it assigned (finding that the violations were based on reasonable cause rather than willful neglect). If OCR had sought the maximum penalties, then the CMP would have been more than $13 million after application of the calendar year caps.

This is only the third time that OCR has issued a CMP, which represents formal findings of violations rather than a voluntary settlement. In the first instance, OCR imposed a CMP against Cignet Health for failing to cooperate with an ongoing investigation (and failing to provide patients with access to their records). There is no indication that Children’s failed to cooperate here. In the second CMP, Lincare, Inc. chose not to settle and instead appealed OCR’s imposition of a CMP, which was subsequently upheld by an Administrative Law Judge (“ALJ”), the first time a covered entity appealed a CMP to an ALJ. In contrast, in this case, Children’s did not choose to appeal the proposed CMP after receiving OCR’s Notice of Proposed Determination. Because Children’s did not request a hearing, the Notice of Proposed Determination is now final, resulting in the imposition of the determined CMP.

It is difficult to say why Children’s elected to forgo a hearing. It may be that Children’s was concerned about implementing a corrective action plan, which likely would have accompanied the settlement and could have added significant time and costs. Insurance coverage also could be a factor, as a fine may be covered whereas the continuing costs of implementing a corrective action plan may not be.