Children’s Medical Center of Dallas has paid a $3.2 million civil penalty to the US Department of Health and Human Services Office for Civil Rights (OCR) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The practice was fined for its impermissible disclosure of unsecured electronic protected health information (ePHI) and noncompliance across many years with multiple standards of the HIPAA Security Rule.
On January 18, 2010, the pediatric hospital filed a breach report with OCR indicating the loss of an unencrypted, non-password-protected BlackBerry device at the Dallas/Fort Worth International Airport on November 19, 2009. The device contained the ePHI of approximately 3,800 individuals.
On July 5, 2013, Children’s Medical Center filed a separate breach report of the theft of an unencrypted laptop from its premises between April 4 and April 9, 2013. The hospital reported that the laptop included the ePHI of 2,462 individuals.
Although Children’s Medical Center had implemented some physical safeguards to the laptop storage area, such as badge access and a security camera at one of its entrances, it also provided access to the area to workforce not authorized to access ePHI.
Specifically, the OCR cited the hospital’s failure to implement risk management plans contrary to prior external recommendations to do so as well as its failure to deploy encryption or an equivalent alternative measure on all of its laptops, workstations, mobile devices, and removable storage media until April 9, 2013.
Despite the hospital’s knowledge about the risk of maintaining unencrypted ePHI on its devices as far back as 2007, it issued unencrypted BlackBerry devices to its nurses and allowed its personnel to continue using unencrypted laptops and other mobile devices until 2013. Children’s Medical Center is part of Children’s Health, the seventh largest pediatric healthcare provider in the United States.
“Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential,” said OCR acting director Robinsue Frohboese. “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”
The OCR has posted its Notice of Proposed Determination and Notice of Final Determination on its website. Its summary of the HIPAA Security Rule also is available online. Further information about nondiscrimination and health information privacy laws, civil rights, privacy rights in healthcare and human service settings, and filing a complaint are available at hhs.gov/hipaa/index.html.