HHS levies $3.2 Million Penalty Against Hospital for HIPAA Failures

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has levied a $3.2 million penalty against Children’s Medical Center of Dallas for violations of the Health Insurance Portability and Accountability Act, including “impermissible disclosure of unsecured electronic health information (ePHI).”

Children’s Dallas, according to an HHS announcement, filed a report with OCR in January 2010 detailing the loss of an unencrypted BlackBerry device that contained ePHI for 3,800 individuals. Additionally, in July 2013, the hospital filed a report with OCR detailing the theft three months earlier of an unencrypted laptop that contained information for 2,462 individuals.

OCR determined that Children’s failed to implement risk management plans, and also failed to deploy encryption “or an equivalent alternative measure” on its devices — including laptops, mobile devices and removable storage — until April 9, 2013.

“Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential,” OCR Acting Director Robinsue Frohboese said. “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”