The Children’s Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. The Department of Health and Human Services’ Office for Civil Rights (OCR) made the announcement revealing the fine recently.
It is unusual for OCR a HIPAA Civil Monetary Penalty to be paid by a HIPAA-covered entity to settle HIPAA violations found during OCR data breach investigations. In the most cases when serious violations of the Health Insurance Portability and Accountability Act are found by OCR investigators, the covered entity in question reaches a voluntary settlement with OCR.
Normally, this results in the covered entity paying a lower amount to OCR to resolve the HIPAA violations. OCR attempted to settle the matter via informal means between November 6, 2015, to August 30,2016, before issuing a Notice of Proposed Determination on September 30, 2016. In the Notice of Proposed Determination, OCR outlined that Children’s Medical Center of Dallas could file a request for a hearing, although no request was sent. Consequently, Children’s Medical Center of Dallas had to pay the entire civil monetary penalty of $3,217,000, making this the largest HIPAA violation penalty of 2017, eclipsing the payments made by Presense Health ($475,000) and MAPFRE Life Insurance Company of Puerto Rico ($2.2 million).
Children’s Medical Center of Dallas is run by Children’s Health, a Dallas-based healthcare system made up of three hospitals and numerous clinics in North Texas. On January 18, 2010, OCR was alerted by Children’s Medical Center that a breach of patients’ electronic protected health information (ePHI) had occurred. The breach happened following the loss of a Blackberry device containing the ePHI of 3,800 patients. The device had not been properly encrypted and was not password protected, allowing any individual who found the device to access the ePHI of all of the patients.
An investigation into the breach was carried out around June 14, 2010. As part of the investigation, Children’s Medical Center provided OCR with a Security Gap Analysis carried by Strategic Management Systems, Inc., (SMS) between December 2006 and February 2007. That analysis showed a lack of risk management at Children’s Medical Center. In the report, SMS recommended that Children’s Medical Center add encryption to portable devices such as laptop computers to prevent the exposure of ePHI in the event that a something like this incident would occur. Children’s Medical Center failed to act on that recommendation.
PricewaterhouseCoopers (PwC) completed an analysis of threats and risks to ePHI in August 2008. In the PwC report, it was also recommended that Children’s Medical Center put inplace encryption on laptop computers, workstations, mobile devices, and portable storage devices such as USB thumb drives. PwC said encryption was “necessary and appropriate.” Children’s Medical Center did not act on PwC’s recommendations, even though encryption was rated as a “high priority” item.
To OCR it was obvious that Children’s Medical Center was knowledgeable of the risks to the confidentiality, integrity, and availability of ePHI and that were was a lack of proper safeguards for ePHI at rest. The center was aware of the risks as early as March 2007, more than 12 months before the security incident occurred and ePHI was exposed. Had Children’s Medical Center implemented the recommendations of SMS or PwC the breach could have been prevented.
In another case in 2010, Children’s Medical Center reported the loss of an non-encrypted iPod containing the ePHI of 22 patients. The loss happened in December 2010. On July 5, 2013, Children’s Medical Center notified OCR of an additional breach involving a non-encrypted device. In this instance, the laptop theft lead to the exposure of 2,462 individuals’ ePHI.
Even after the data breaches happened, Children’s Medical Center failed to make the changes; only implementing encryption on portable devices in April, 2013. From 2007 to April 9, 2013, nurses were using inadequately protected Blackberry devices that held ePHI, while other workers were using non-encrypted laptop computers and mobile devices until April 9, 2013.
Using encryption to protect ePHI is not mandatory for HIPAA-covered entities. However, the use of encryption to safeguard the confidentiality, integrity, and availability of ePHI is an ‘addressable’ factor.
HIPAA-covered bodies are required to complete a comprehensive, organization-wide risk assessment to determine vulnerabilities that could possibly lead to the exposure of ePHI. If, after performing the risk assessment, the covered body determines that encryption is not ‘reasonable and appropriate’, the reasons why encryption is not deemed necessary must be recorded and an equivalent measure must still be put in place to ensure ePHI is appropriately secured. Children’s Medical Center failed to record why encryption had not been used and also failed to put in place adequate security measures.
Furthermore, OCR found that prior to November 9, 2012, Children’s Medical Center did not have adequatecpolicies and procedures governing the removal of hardware and electronic equipment from its facilities or movement of the devices within its offices. Until November 9, 2012, Children’s Medical Center was not aware exactly how many devices those policies and procedures should apply to: A full inventory was only finished on November 9, 2012. While all of the devices had been inventoried prior to November 9, 2012, operated by the Biomedical department were not included in that inventory, breaching the HIPAA Security Rule (45 C.P.R. § 164.310(d)(l)).
While efforts were made to address the HIPAA violations informally, Children’s Medical Center did not ‘provide written evidence of mitigating factors or affirmative defenses and/or its written evidence in support of a waiver of a CMP.’
OCR found that the violations were due to reasonable cause, rather than willful neglect, of HIPAA Rules. Had that not been the case, the penalty would have been much higher. OCR considered, in it’s ruling, that there had been no apparent harm caused to patients as a result of the lost devices, and chose the minimum applicable penalty amount of $1,000 per day that the violations were allowed to continue.
OCR’s Final Notice of Determination can be see on this link.