{"id":1162,"date":"2017-03-24T14:51:43","date_gmt":"2017-03-24T18:51:43","guid":{"rendered":"https:\/\/www2.law.temple.edu\/10q\/?p=1162"},"modified":"2017-03-24T14:51:43","modified_gmt":"2017-03-24T18:51:43","slug":"hospital-pays-3-2m-resulting-hipaa-security-rule-noncompliance","status":"publish","type":"post","link":"https:\/\/law.temple.edu\/10q\/hospital-pays-3-2m-resulting-hipaa-security-rule-noncompliance\/","title":{"rendered":"Hospital Pays $3.2M Resulting from HIPAA Security Rule Noncompliance"},"content":{"rendered":"

In one of the last health care related acts of President Obama’s administration, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), imposed a multi-million dollar HIPAA civil money penalty (CMP) against Children\u2019s Medical Center of Dallas (Children\u2019s). \u00a0The penalty was publicly announced on February 1, 2017. \u00a0The Children’s penalty was based upon multiple impermissible disclosures of unsecured electronic protected health information (ePHI) and multi-year non-compliance with several HIPAA Security Rule standards.<\/p>\n

According to OCR, Children’s is the 7th<\/sup> largest pediatric provider in the United States.\u00a0 Children’s filed two separate HIPAA breach reports with OCR. \u00a0In 2010, Children\u2019s reported to OCR the loss of an unencrypted, non-password protected BlackBerry device at an airport (the \u201cBlackberry Breach\u201d). \u00a0The device contained the ePHI of approximately 3,800 individuals. \u00a0In 2013, Children’s reported to OCR the theft of an unencrypted laptop from Children\u2019s premises that had the ePHI of approximately 2,500 individuals (the \u201cLaptop Breach\u201d).<\/p>\n

During OCR\u2019s investigation of the BlackBerry Breach, Children\u2019s submitted to OCR a HIPAA Security Rule gap analysis performed by an outside vendor covering the period from December 2006 through February 2007. \u00a0That vendor identified the absence of risk management protocols and recommended encryption of all Children\u2019s devices. \u00a0In August 2008, Children’s conducted a second independent vendor analysis for HIPAA Security Rule compliance. \u00a0The second vendor also identified encryption as a high priority item and recommended that Children’s encrypt all devices by the end of 2008.\u00a0 In addition to the BlackBerry and the Laptop Breaches, the OCR stated there was also an impermissible disclosure of the ePHI of 22 people resulting from a resident\u2019s lost and unencrypted iPod (the \u201ciPod Incident\u201d).<\/p>\n

On September 30, 2016, OCR issued a Notice of Proposed Determination to Children\u2019s, stating that the OCR intended to impose a CMP of approximately $3.2M on Children\u2019s.\u00a0 The Notice of Proposed Determination included twenty findings of fact and noted that Children’s continued to issue unencrypted BlackBerry\u2019s and allowed its workforce teams to use unencrypted devices through April 2013, even after receiving the two independent vendor reports.\u00a0 Children\u2019s failed to appropriately document its decision not to encrypt mobile devices.<\/p>\n

According to the Notice of Proposed Determination, the OCR\u2019s bases for imposing the CMP included the following:<\/p>\n