Feds fine Dallas hospital $3.2M for HIPAA security violations
Children’s Medical Center of Dallas has paid a $3.2 million fine to the HHS Office for Civil Rights after regulators found it had not complied with multiple requirements of the HIPAA security rule over many years.
The medical center also appears to have not fully cooperated with OCR during an investigation, agency documents show. OCR traditionally enters into a settlement agreement with a HIPAA covered entity following negotiations over the size of a monetary fine and conditions of a corrective action plan.
Children’s Medical Center of Dallas did not response to requests for a response to the charges or for a statement on the imposition of HIPAA penalties.
OCR Director Jocelyn Samuels has significantly ramped up HIPAA enforcement actions during the past year and has indicated that such actions will continue this year.
In the case of Children’s Medical, OCR issued a Notice of Proposed Determination that included instructions on how the medical center could file a request for a hearing. “Children’s did not request a hearing,” OCR said in a statement. “Accordingly, OCR issued a Notice of Final Determination, and Children’s has paid the full civil money penalty of $3.2 million.”
The OCR investigation was initiated after Children’s experienced a breach in November 2009 when an unsecured Blackberry device lost at an airport compromised protected health information of 3,800 individuals. Later, the theft of an unencrypted laptop in 2013 affected the information of 2,462 individuals.
The hospital failed to implement risk management plans, contrary to prior external recommendations to do so and while understanding the risks since 2007, according to OCR. Children’s Medical conducted consultant-aided security gap analyses in 2007 and 2008, but did not implement recommended protections for mobile devices until April 2013.
Consequently, “Children’s had actual knowledge of the risks to unencrypted ePHI at rest by at least March 2007, at least one year prior to the reported security incidents,” OCR contends in the Notice of Final Determination. Further, Children’s failed to document its decisions to not secure mobile devices, in violation of HIPAA.
Also See: 6 top IT security trends for 2017
OCR further determined that Children’s did not have policies to govern receipt and removal of hardware and electronic media holding ePHI, and could not identify all devices to which the device and media control policy applied.
OCR in May 2016 informed Children’s that it had failed to resolve matters related to the breach by informal means despite “OCR’s attempts to do so.” The letter also gave the hospital the opportunity to submit evidence to support a waiver of the civil monetary penalty. However, Children’s responses did not support an adequate defense, according to the agency.
The OCR Notice of Final Determination is available here.