The Department of Health and Human Services, Office for Civil Rights (OCR), has announced a HIPAA civil monetary penalty of $3.2 million against Children’s Medical Center of Dallas, based on multiple HIPAA violations and non-compliance over numerous years.
In 2010, Children’s notified OCR that an unencrypted Blackberry device had been lost. The device contained electronic protected health information (ePHI) from 3,800 individuals. Three years later, in 2013, Children’s reported another breach involving the theft of an unencrypted laptop from its facility. This second breach compromised the ePHI of 2,462 individuals. Upon investigation, OCR discovered that, “…although Children’s had implemented some physical safeguards to the laptop storage area (e.g., badge access and a security camera at one of the entrances), it also allowed access to the area to workforce not authorized to access ePHI.”
According to a HHS Press Office release dated February 1, 2017, “OCR’s investigation revealed Children’s noncompliance with HIPAA Rules, specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 9, 2013.“
Furthermore, OCR found that Children’s lacked appropriate policies and procedures for electronic equipment that would help to manage the movement of devices throughout its facilities, or assist in tracking the removal of such devices from its facilities.
According to OCR Acting Director Robinsue Frohboese. “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”
The lesson to be learned from this for all healthcare providers and institutions is that they must take the responsibility of maintaining the security and confidentiality of their patient’s PHI seriously.
Establishing and implementing formal HIPAA policies and procedures, conducting a thorough security risk analysis to help identify risk and vulnerabilities to ePHI, and providing ongoing workforce training are all necessary steps to protect PHI. Moreover, employing these protective measures are requirements of the HIPAA Privacy and Security Regulations.
If you have questions about establishing and implementing HIPAA policies and procedures, inUnison Consulting, LLC can help. Give us a call today at 877-222-2027!