OCR Penalizes Health System for Multiple HIPAA Violations

On February 1, 2017, OCR announced that it levied a $3.2 million civil money penalty against Children’s Medical Center of Dallas (Children’s). The enforcement action ends a nearly six-year long investigation into Children’s health information privacy and security practices.

OCR’s review of Children’s compliance with the HIPAA Privacy and Security Rules was brought on after reports of breaches compromising protected health information. The reports were of lost or stolen smartphones and other portable devices that stored patient information without encryption. OCR’s investigation found multiple security issues and lack of HIPAA compliance, dating back as far as 2007. According to the agency’s report, Children’s issued unencrypted mobile devices to its nurses, as well as other unencrypted devices between 2007 and 2013. In January 2010, Children’s reported to OCR a breach in which the PHI of 3,800 individuals was compromised when an unencrypted mobile device that had no password protection was lost. Then in July of 2013, Children’s reported an unencrypted device with PHI of nearly 2,500 individuals went missing in April of 2013. Children’s had some physical safeguards in place but overlooked that the laptop storage area was accessible by unauthorized employees.

Part of the reason for a hefty penalty is because OCR’s investigation found repeated failures to put appropriate security safeguards into place despite multiple information security risk assessments identifying threats and vulnerabilities that were easy to mitigate. With that said, Children’s was more than aware of the risk associated with having unencrypted mobile devices that contained PHI and yet continued to repeatedly violate standards of the HIPAA Security Rule.

“Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine,” OCR acting Director Robinsue Frohboese, said in a statement.

Click here to read the press release issued by OCR.

February 2nd, 2017|

About the Author:

David Holtzman

Considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules, David Holtzman was a senior advisor at OCR before joining the team at CynergisTek. He also previously served as the privacy & security officer for Kaiser Permanente’s Mid-Atlantic Region.