Hospital pays $3.2M Resulting from HIPAA Security Rule Noncompliance
In one of the last health care related acts of President Obama’s administration, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), imposed a multimillion-dollar HIPAA civil money penalty (CMP) against Children’s Medical Center of Dallas (Children’s). The penalty was publicly announced on February 1, 2017. The Children’s penalty was based upon multiple impermissible disclosures of unsecured electronic protected health information (ePHI) and multi-year non-compliance of several HIPAA Security Rule standards. According to OCR, Children’s is the 7th largest pediatric provider in the United States.
Children’s filed two separate HIPAA breach reports with OCR. In 2010, Children’s reported to OCR the loss of an unencrypted, non-password protected BlackBerry device at an airport (the “Blackberry Breach”). The device contained the ePHI of approximately 3,800 individuals. In 2013, Children’s reported to OCR the theft of an unencrypted laptop from Children’s premises that had the ePHI of approximately 2,500 individuals (the “Laptop Breach”).
During OCR’s investigation of the BlackBerry Breach, Children’s submitted to OCR a HIPAA Security Rule gap analysis performed by an outside vendor covering the period from December 2006 through February 2007. That vendor identified the absence of risk management protocols and recommended encryption of all Children’s devices. In August 2008, Children’s conducted a second independent vendor analysis for HIPAA Security Rule compliance. The second vendor also identified encryption as a high priority item and recommended that Children’s encrypt all devices by the end of 2008.
On September 30, 2016, OCR issued a Notice of Proposed Determination to Children’s, stating that the OCR intended to impose a CMP of approximately $3.2M on Children’s. The Notice of Proposed Determination included 20 findings of fact and noted that Children’s continued to issue unencrypted BlackBerrys and allowed its workforce teams to use unencrypted devices through April 2013, even after receiving these two independent vendor reports.
The OCR stated there was an additional impermissible disclosure of the ePHI of 22 people resulting from a resident’s lost and unencrypted iPod (the “iPod Incident”).
According to the Notice of Proposed Determination, the OCR’s bases for imposing the CMP included the following:
- Children’s failed to implement access controls relating to encryption or decryption or equivalent alternative measures;
- Children’s failed to implement sufficient policies and procedures regarding the receipt or removal of hardware and electronic media that contain ePHI into and out of its facilities; and
- The impermissible disclosure of the PHI have approximately 2,500 occurrences through the iPod Incident and the Laptop Breach.
The following aggregating factors were considered by OCR in determining the amount of the CMP: the length of time that Children’s continued to use unencrypted devices, even after having knowledge that encryption should be used to ensure the security of the ePHI, and its prior history of noncompliance with the HIPAA Privacy and HIPAA Security Rules.
The OCR determined that Children’s liability for each of the three bases for the CMP was: $923,000 for access controls of encryption and decryption; $772,000 relating to device and media controls; and $1,522,000 for the impermissible disclosures.
Children’s had the opportunity to request a hearing after its receipt of the Notice of Proposed Determination and elected not to do so. At that juncture, the OCR issued a Notice of Final Determination and the proposed CMP became final.
The multimillion-dollar CMP reiterates the importance of all covered entities having robust compliance programs in place for the HIPAA Privacy Rule and the HIPAA Security Rule. In particular, covered entities, when using outside consultants for HIPAA advice, should abide by the consultants’ recommendations and document any compliance measures that are implemented pursuant to that advice.
The OCR Notice of Proposed Determination and Notice of Final Determination may be found here.
It is not yet clear what the Trump administration’s approach will be to HIPAA enforcement. In the interim, all parties affected by HIPAA should continue to maintain compliance with both the Privacy Rule and the Security Rule.
Saul Ewing attorneys regularly advise clients on HIPAA Privacy and Security Rule compliance. For more information on these matters, please contact the authors or the attorney at the firm with whom you are regularly in contact.