On February 1, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced a $3.2 million civil monetary penalty against Children’s Medical Center of Dallas (“Children’s”) for alleged ongoing violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules, following two consecutive breaches of patient electronic protected health information (“ePHI”). This is the third enforcement action taken by OCR in 2017, following the respective actions taken against MAPFRE Life Insurance of Puerto Rico and Presence Health earlier in January.

According to OCR’s Notice of Final Determination, Children’s experienced two breaches of patient ePHI over a three-year span. Both breaches involved the loss or theft of unencrypted devices containing patient ePHI. Following the 2010 breach, OCR commenced an investigation of Children’s compliance with the HIPAA Privacy, Security and Breach Notification Rules. OCR’s investigation determined that Children’s was put on notice of its security vulnerabilities – particularly the threats posed by unencrypted laptops and mobile devices – prior to both breaches. OCR found Children’s to be noncompliant with HIPAA due to Children’s (1) “failure to implement risk management plans, contrary to prior external recommendations to do so” and (2) “failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 9, 2013.”

According to its Notice of Final Determination, OCR considered the following “aggravating factors” in reaching its $3.2 million civil monetary penalty:

  • The amount of time that Children’s continued to use unencrypted devices even after it had actual knowledge that encryption was necessary to ensure the security of ePHI. OCR alleged that Children’s was put on notice as early as 2008 that it was at a “high risk” of loss of ePHI through the loss or theft of an unsecured device, and that encryption of its devices was “necessary and appropriate.”
  • Children’s prior history of noncompliance with the HIPAA Privacy and Security Rules. OCR underscored the fact that both the 2010 and 2013 data breaches involved noncompliance with the same or similar provisions of the HIPAA Privacy and Security Rules. OCR also cited additional incidents involving Children’s loss of devices containing unsecured ePHI, which took place prior to the implementation of the HIPAA Breach Notification Rule.

In announcing the penalty against Children’s, OCR Acting Director Robinsue Frohboese warned that, “although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”