The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced on February 1, 2017, that it imposed a $3.2 million civil money penalty against Children’s Medical Center of Dallas (“Children’s”) for impermissible disclosure of unsecured electronic protected health information (ePHI) and many years of non-compliance with multiple standards of the HIPAA Security Rule. What makes this case particularly painful is that it appears Children’s had many opportunities to mitigate its noncompliance–and to lessen the penalty–but failed to fully take advantage of those opportunities.
Eleven years ago, in 2006, one year after the HIPAA Security Rule took effect, Children’s retained a third party to conduct a security gap analysis and assessment. That assessment identified the absence of risk management as a major finding. The third party consultant recommended that Children’s implement encryption to avoid loss of ePHI on stolen or lost laptops. Recommendation not taken.
In 2008, Children’s engaged a different third party vendor to conduct a separate analysis of threats to ePHI. That vendor also determined that encryption was necessary and appropriate, and identified the loss of data at rest through unsecured mobile devices as being a high risk for Children’s. Although required by the HIPAA Security Rule, Children’s failed to document its decision to not implement encryption or any applicable rationale behind a decision to use alternative security measures.
Time passed. No encryption. You guessed it.
In January 2010, Children’s filed a breach report with OCR regarding the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport, exposing the ePHI of approximately 3,800 individuals.
In December 2010, a Children’s medical resident lost an iPod device that had been synched to the resident’s Children’s email account, resulting in the unencrypted ePHI of 22 individuals being placed on the device.
In 2012, OCR issued the findings of its audit of Children’s identifying, among other things, insufficient controls for devices, including smartphones and USB drives.
In July 2013, Children’s filed another HIPAA Breach Notification Report with OCR, reporting the April 2013 theft from its premises of an unencrypted laptop containing ePHI of 2,462 individuals. Although Children’s had implemented some physical safeguards to its laptop storage area (e.g., badge access and a security camera at one of the entrances), it had allowed janitorial staff unrestricted access to the area where the laptop with unencrypted ePHI was stored. Children’s internal investigation concluded that the laptop was probably stolen by a member of the janitorial staff.
OCR’s subsequent investigation of Children’s revealed lack of policies, lack of device and media controls, failure to implement risk management plans, contrary to prior external recommendations to do so, and failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 2013, when the laptop theft occurred. OCR noted that, despite Children’s knowledge about the risk of maintaining unencrypted ePHI on its devices as far back as 2007, Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.
OCR issued a “Letter of Opportunity” to Children’s in May 2016, noting that OCR’s efforts to resolve the matter by informal means had been unsuccessful. In response, Children’s put forth a defense to OCR’s allegations but to no avail. By law, for violations occurring after February 2009, OCR could not impose a civil money penalty on Children’s if Children’s could establish to OCR’s satisfaction that the violations were not due to willful neglect and were corrected during the 30-day period beginning on the first date it knew, or, by exercising reasonable diligence, would have known that the violation occurred. However, Children’s had not made corrections of its violations within that timeframe.
In September 2016, OCR notified Children’s of its findings and the proposed penalty. OCR had considered as aggravating factors the amount of time that Children’s continued to use unencrypted devices, even after express recommendations of consultants and the OCR that encryption was necessary for ePHI security. The notification included instructions for requesting a hearing to challenge the proposed penalties. Children’s did not request a hearing.
On January 18, 2017, OCR issued a notice to Children’s that the full civil money penalty of $3.2 million was final.
Children’s did the compliant thing, back in 2006 and 2008, to conduct security risk assessments. Ignoring the results of such risk assessments is a common failure of HIPAA covered entities and their business associates. Children’s learned the hard way that not implementing recommended measures, such as failing to implement encryption and device controls, and not correcting violations that come to light, may seem like the right (or the economically sound) decision at the time, but can prove to be extremely costly in the end. Especially if you just keep doing it.
For advice on security risk assessments, policies and protocols, and corrective action plans for security violations, contact Denise L. Sanders, Esq., shareholder at Capehart Scatchard, who regularly advises healthcare providers and vendors on requirements of HIPAA Privacy and Security and federal and state Data Breach Notification rules.