The Office for Civil Rights (OCR) sent a strong message to the healthcare community with their third civil monetary penalty totaling $3.2 million.
Children’s Medical Center of Dallas – part of the seventh-largest pediatric health care provider in the nation – was on the wrong end of two data breaches caused by a lack of encryption. The hefty fine stems from the OCR’s investigation uncovering longstanding failures to comply with HIPAA’s rules.
Children’s first filed a breach report with OCR in January 2010. An employee lost an unencrypted, non-password protected BlackBerry device at the Dallas airport in November 2009. The device contained the electronic protected health information (ePHI) of 3,800 individuals.
Children’s filed a separate breach report with OCR in July 2013. This time it was due to the theft of an unencrypted laptop from the premises in April 2013. The device contained ePHI of about 2,500 individuals.
In this case, it was determined several physical safeguards were in place to protect the laptop storage area – i.e. badge access and a security camera at one entrance. However, access to the area was given to members of the workforce who weren’t authorized to access ePHI.
The OCR levied the civil monetary penalty, rather than coming to terms on a settlement, due to widespread failures related to HIPAA compliance. Specifically, OCR noted two crucial HIPAA failures:
- Failure to implement risk management plans, contrary to external recommendations
- Failure to deploy encryption or equivalent alternative measures of safeguard on laptops, work stations, mobile devices, and removable media until 2013
The key issue leading to the penalty was the medical provider’s failure to fix known problems for an extended period of time. Children’s had an independent firm conduct a gap analysis in 2006 and again in 2007, highlighting the risks to unencrypted ePHI by March 2007 at the latest. A separate analysis was performed in 2008 to address threats and vulnerabilities of certain ePHI.
Children’s was aware of the potential risks posed by their unencrypted devices, and failed to act until 2013.
Acting OCR Director Robinsue Frohboese noted, “Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential. Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”
OCR hasn’t slowed down in their HIPAA enforcement so far in 2017. But this case is unique for a few reasons: The total number of affected individuals was less than 6,000, but the case involved multiple breaches of unencrypted devices, and focused on Children’s failure to mitigate known security issues.
OCR demonstrates once again they aren’t afraid of heavy fines for widespread non-compliance in safeguarding ePHI. Healthcare organizations can take this enforcement as a warning: Fix the problems you’ve identified! When your risk assessments identify gaps and vulnerabilities, address and prioritize those areas during risk mitigation efforts.