Dallas hospital pays out $3.2 million for HIPAA breach

The Children’s Medical Center of Dallas recently agreed to pay a $3.2 million penalty to settle the U.S. Department of Health and Human Services’ (“DHS”) pursuit of sanctions against it for a HIPAA breach.  Children’s Medical Center failed to properly secure its ePHI, and it was inadvertently disclosed.

Children’s Medical Center is a pediatric hospital in Dallas, Texas, and is part of Children’s Health, the seventh largest pediatric healthcare provider in the nation.

First, in January of 2010, Children’s Medical Center filed a HIPAA Breach Notification Report with DHS to report that an unencrypted, non-password protected BlackBerry device had been lost at the Dallas/Fort Worth International Airport on November 19, 2009. The device contained the ePHI of approximately 3,800 Children’s Medical Center patients.  

(Not sure what a Breach Notification Report is? Review your HIPAA policy for a refresher course on when you should file these reports, or email us to get a quote for a customized policy manual.)

In July of 2013, Children's Medical Center filed another HIPAA Breach Notification Report, this time reporting that an unencrypted laptop was stolen from the hospital sometime in April. Children's Medical Center reported that the laptop contained the ePHI of 2,462 individuals.

In general, HIPAA requires that you have written policies addressing three big topics: privacy, security, and breaches.  Children’s Medical Center wasn’t clueless when it came to security – it implemented some physical safeguards to protect the area where laptops were stored, including badge access and a security camera at one of the entrances.  However, it also allowed access to the area for workforce members who weren’t authorized to access ePHI.

Children’s Medical Center had failed to implement procedures that were compliant with HIPAA.  It did not implement risk management plans, nor did it use encryption on all of its laptops, workstations, mobile devices, or removable media storage.  And although it was aware of the  risk of storing unencrypted ePHI on electronic devices, Children's Medical Center provided unencrypted BlackBerry devices to nurses.  It also allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.

If you want to learn more...

You can review the DHS press release here.  You can also read more about HIPAA audits, and why you need comprehensive policies and procedures here.

© 2017 Jackson LLP, all rights reserved

 

erinjackson-healthcareattorney