How Children’s Medical Center Could Have Avoided A $3.2 Million Fine
On February 1, 2017, the HHS OCR announced that the Children’s Medical Center of Dallas (Children’s) received a $3.2 million HIPAA non-compliance penalty based on its impermissible disclosure of unsecured electronic protected health information (PHI) and non-compliance with multiple HIPAA requirements over many years. Children’s has paid the full civil money penalty of $3.2 million. Children’s is a pediatric hospital in Dallas, Texas.
Overview of their breaches and non-compliance
On January 18, 2010, Children’s filed a breach report with OCR indicating the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport on November 19, 2009. The device contained the PHI of approximately 3,800 individuals. On July 5, 2013, Children’s filed another separate HIPAA Breach Notification Report with OCR, reporting the theft of an unencrypted laptop from its premises sometime between April 4 and April 9, 2013. Children’s reported the device contained the PHI of 2,462 individuals. Although Children’s implemented some physical safeguards to the laptop storage area (e.g., badge access and a security camera at one of the entrances), it did not address all risks, and did not implement all HIPAA security requirements. E.g., they continued to allow workforce not authorized to access PHI into areas that contained such PHI.
Some specifically named issues that led to the large penalty:
- Failure to implement risk management plans, contrary to prior external recommendations to do so, and failure to not perform risk assessments as required.
- Failure to encrypt data on all of its laptops, work stations, mobile devices and removable storage media in a timely manner.
- Despite Children’s knowledge about the risk of maintaining unencrypted PHI on its devices as far back as 2007, Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.
- Lack of training for how to safeguard mobile devices and endpoints.
“Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential” said OCR Acting Director Robinsue Frohboese. “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”
What Children’s Could Have Done to Avoid Such a Hit
Children’s Medical Center had obviously been on the chopping block for some time. CareersInfoSecurity.com reports there were two investigations into breaches of unencrypted mobile devices in 2009 and 2013 and there was knowledge that unencrypted Blackberry devices were issued to nurses and other workforce members continued to use unencrypted laptops and other mobile devices as far back as 2007.
These are just a few of many opportunities that Children’s had to correct a very serious issue. The Department of Health and Human Services’ Office for Civil Rights (OCR) says it imposed the hefty penalty on Children’s Medical Center of Dallas “based on its impermissable disclosure of unsecured electronic protected health information and non-compliance over many years with multiple standards of the HIPAA Security Rule.”
The penalty levied by the OCR might not have been so stiff had they been able to show evidence that risk assessments were performed, or at least taking actions for the findings of risk assessments and providing adequate training to its employees. A lack of these certainly portrayed a high level of willful neglect on the part of the hospital.
OCR also found that Children’s additionally violated HIPAA by failing to implement sufficient policies and procedures governing the receipt and removal of hardware and electronic media that contain ePHI into and out of its facility, and the movement of these items within the facility prior to at least November 9, 2012. Prior to November 2012, Children’s information technology (IT) assets were inventoried and managed separately from the inventory of devices used within its Biomedical Department. Children’s IT asset policies did not apply to devices that accessed or stored ePHI that were managed by the Biomedical Department. Consequently, Children’s was unable to identify all devices to which the device and media control policy should apply prior to completing a full-scope inventory to identify all information systems containing ePHI in November 9, 2012. As Children’s did not conduct a complete inventory to identify all devices to which its IT asset policies apply to ensure that all devices were covered by its device and media control policies, the Proposed Determination concluded Children’s was out of compliance with the Security Rule at 45 C.P.R. § 164.310(d)(l).
What Can You Do?
This Final Determination of the OCR echoes the need for proper device/endpoint encryption and proper documentation of risk assessments, audits, breach investigations and other events, compliance analysis and conclusions taken in response, and corrective actions selected and implemented in response to those events. Risk assessments (RAs) and training modules would have significantly lessened, or even prevented, this very large fine.
Omni-Watch Systems provides the above mentioned requirements including employee training as a service to retail, health and financial services. Our comprehensive Compliance & Risk Management Program can be and is often segmented into seven prioritized solutions to accommodate even the smallest firms and businesses to ease the cost of compliance. Our management solutions include Security & Privacy Management, Training & Awareness, Risk Management, Policies & Procedures, Vendor Management, Audit & Breach Management and Employee Oversight.
Do you need a Security and Privacy Management Program? Why not get started today? Omni-Watch Systems is currenty offering a 20% discount on RA, training modules and other services through 3/31/2017. Call us TODAY for a free Network Assessment at 214-340-2258 or complete the form below and a representative will contact you within 24 hours.
See the penalty announcement here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/childrens
See analysis about the situation and penalty here: http://www.govinfosecurity.com/32-million-hipaa-fine-analysis-9665