Children's Medical Center fined $3.2M over HIPAA violations

Dive Brief:

  • After multiple HIPAA breaches, the Children’s Medical Center of Dallas has been fined a civil money penalty of $3.2 million, according to the HHS.

  • HHS stated the original privacy breach happened in November 2009, when a Blackberry that had neither encryption nor password protection was stolen. Another theft occurred in April 2013, when an unencrypted laptop was stolen from hospital grounds.

  • Upon investigation, the Office for Civil Rights (OCR) discovered that Children’s had failed to take actions to prevent such breaches until 2013, despite being aware of the risks.

Dive Insight:

OCR generally prefers to settle and educate when it finds compliance problems so that affected entities can learn from their mistakes and correct any weaknesses in their risk management approaches. 

According to the HHS, Children’s knew about the relevant compliance risks back in 2007 and, between 2007 and 2013, neglected to implement risk management plans as recommended by external entities. The hospital issued unencrypted Blackberry devices to nurses until 2013, and unencrypted laptops or tablets to other staff for just as long.

The protections the hospital did have in place were inadequate, according to OCR, stating a laptop storage area required badge access and had a security camera, but employees who were not authorized to access protected health information could enter the storage area. The number of people affected was under 7,000. 

On one hand, the number of breaches resulting from unencrypted or stolen devices seems to be dropping as administrators are getting wise to greater security protocols. On the other hand, the $3.2 million fine serves as a strong reminder to other healthcare providers to be vigilant on their security. OCR increased its investigations of smaller privacy breaches (those affecting fewer than 500 patients) last summer and began on-site audits this year, once again reminding entities that they need to be vigilant. Those who are responsible for patient information will be expected to do more than give lip service to risk management plans.

Filed Under: Health IT Health Law Hospital Administration Policy & Regulation
Top image credit: Flickr user Honou