Lack of action and multiple HIPAA violations lead to multimillion civil monetary penalty

A Texas hospital was recently hit with a $3.2 million HIPAA civil monetary penalty, the Office for Civil Rights (OCR) announced February 1.

Children’s Medical Center of Dallas filed a breach report in 2010 and, following an investigation, OCR issued a Notice of Proposed Determination instructing Children’s how to file a request for a hearing. At a hearing, the covered entity (CE) or business associate (BA) has the option to reach a settlement agreement, which generally includes a settlement payment and a corrective action. Children’s failed to file a request for a hearing and OCR issued a Notice of Final Determination including the civil monetary penalty.

In 2010, Children’s reported that an unencrypted, non-password protected BlackBerry containing the electronic protected health information (PHI) of 3,800 individuals was lost at Dallas/Fort Worth International Airport in November 2009. Children’s filed a second breach report in 2013 when an unencrypted laptop containing the PHI of 2,462 individuals was stolen from the facility.

OCR’s investigation into the breaches revealed multiple HIPAA violations. Children’s did not act on risk management plans and did not encrypt all work stations, mobile devices, and removable storage until after the 2013 breach. Investigators determined that Children’s became aware of the risk of using unencrypted devices in 2007 but continued to allow staff to work on unencrypted devices and issued encrypted BlackBerrys to nurses.

Children’s paid the fine in full. CEs and BAs should carefully review risk management policies and pay attention to deadlines when reporting breaches to OCR.