Earlier this month, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) civil money penalty of $3,217,000.00 against Children’s Medical Center of Dallas (Children’s), a pediatric hospital that is part of Children’s Health, the seventh largest pediatric health care provider in the nation. OCR based this penalty on its finding that Children’s failed to comply with HIPAA Security Rule over many years and that Children’s impermissibly disclosed unsecured electronic protected health information (ePHI) when it suffered two data breaches that were reportable to OCR.
- On January 18, 2010, Children’s reported to OCR the loss of an unencrypted, non-password protected BlackBerry device at an airport on November 19, 2009. The device contained the ePHI of approximately 3,800 individuals.
- On July 5, 2013, Children’s reported to OCR the theft of an unencrypted laptop from its premises sometime between April 4 and April 9, 2013. The device contained the ePHI of approximately 2,462 individuals.
Because Children’s devices were unencrypted, Children’s was obligated to report their loss, along with the unsecured ePHI they contained, to the HHS. Had Children’s devices been encrypted, it could have taken advantage of the “safe harbor” rule, pursuant to which covered entities and business associates are not required to report a breach of information that is not “unsecured.”
- OCR’s investigation revealed that, in violation of HIPAA Rules, Children’s (1) failed to implement risk management plans, contrary to prior external recommendations to do so, and (2) knowingly and over the course of several years, failed to encrypt, or alternatively protect, all of its laptops, work stations, mobile devices, and removable storage media.
- OCR’s investigation established that Children’s knew about the risk of maintaining unencrypted ePHI on its devices as far back as 2007.
- Despite this knowledge, Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.