In one of the last health care related acts of President Obama’s administration, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), imposed a multi-million dollar HIPAA civil money penalty (CMP) against Children’s Medical Center of Dallas (Children’s). The penalty was publicly announced on February 1, 2017. The Children’s penalty was based upon multiple impermissible disclosures of unsecured electronic protected health information (ePHI) and multi-year non-compliance with several HIPAA Security Rule standards.
According to OCR, Children’s is the 7th largest pediatric provider in the United States. Children’s filed two separate HIPAA breach reports with OCR. In 2010, Children’s reported to OCR the loss of an unencrypted, non-password protected BlackBerry device at an airport (the “Blackberry Breach”). The device contained the ePHI of approximately 3,800 individuals. In 2013, Children’s reported to OCR the theft of an unencrypted laptop from Children’s premises that had the ePHI of approximately 2,500 individuals (the “Laptop Breach”).
During OCR’s investigation of the BlackBerry Breach, Children’s submitted to OCR a HIPAA Security Rule gap analysis performed by an outside vendor covering the period from December 2006 through February 2007. That vendor identified the absence of risk management protocols and recommended encryption of all Children’s devices. In August 2008, Children’s conducted a second independent vendor analysis for HIPAA Security Rule compliance. The second vendor also identified encryption as a high priority item and recommended that Children’s encrypt all devices by the end of 2008. In addition to the BlackBerry and the Laptop Breaches, the OCR stated there was also an impermissible disclosure of the ePHI of 22 people resulting from a resident’s lost and unencrypted iPod (the “iPod Incident”).
On September 30, 2016, OCR issued a Notice of Proposed Determination to Children’s, stating that the OCR intended to impose a CMP of approximately $3.2M on Children’s. The Notice of Proposed Determination included twenty findings of fact and noted that Children’s continued to issue unencrypted BlackBerry’s and allowed its workforce teams to use unencrypted devices through April 2013, even after receiving the two independent vendor reports. Children’s failed to appropriately document its decision not to encrypt mobile devices.
According to the Notice of Proposed Determination, the OCR’s bases for imposing the CMP included the following:
- Children’s failed to implement access controls relating to encryption or decryption or equivalent alternative measures;
- Children’s failed to implement sufficient policies and procedures regarding the receipt or removal of hardware and electronic media that contain ePHI into and out of its facilities; and
- Children’s impermissibly disclosed the PHI of approximately 2,500 occurred through the iPod Incident and the Laptop Breach.
The following aggravating factors were considered by OCR in determining the amount of the CMP: the length of time that Children’s continued to use unencrypted devices, even after having knowledge that encryption should be used to ensure the security of the ePHI, and its prior history of noncompliance with the HIPAA Privacy and HIPAA Security Rules.
The OCR determined that Children’s liability for each of the three bases for the CMP was: $923,000 for access controls of encryption and decryption; $772,000 relating to device and media controls; and $1,522,000 for the impermissible disclosures.
Children’s had the opportunity to request a hearing after its receipt of the Notice of Proposed Determination and elected not to do so. At that juncture, the OCR issued a Notice of Final Determination and the proposed CMP became final.
The multi-million dollar CMP again highlights the importance for all covered entities to have robust compliance programs in place for the HIPAA Privacy Rule and the HIPAA Security Rule. In particular, covered entities, when using outside consultants for HIPAA advice, should abide by the consultants’ recommendations and document any compliance measures that are implemented pursuant to that advice.
The OCR Notice of Proposed Determination and Notice of Final Determination may be found here.
The transition to the Trump administration has not slowed OCR’s HIPAA enforcement activities. Since President Trump took office, the OCR has announced another HIPAA settlement in the amount of $5.5 million. Maintaining a comprehensive HIPAA Privacy and Security Rule compliance program remains essential for covered entities and business associates.
Karilynn Bayus is the Vice Chair and Bruce Armon is the Chair of Saul Ewing LLP’s Health Care Practice. Karilynn and Bruce each represent health care providers and businesses in transactional, regulatory and administrative matters. Karilynn and Bruce regularly write and speak on HIPAA issues.