OCR Penalizes Health System for Multiple HIPAA Violations

February 2, 2017 David Holtzman

On February 1, 2017, OCR announced that it levied a $3.2 million civil money penalty against Children’s Medical Center of Dallas (Children’s). The enforcement action ends a nearly six-year long investigation into Children’s health information privacy and security practices.

OCR’s review of Children’s compliance with the HIPAA Privacy and Security Rules was brought on after reports of breaches compromising protected health information. The reports were of lost or stolen smartphones and other portable devices that stored patient information without encryption. OCR’s investigation found multiple security issues and lack of HIPAA compliance, dating back as far as 2007. According to the agency’s report, Children’s issued unencrypted mobile devices to its nurses, as well as other unencrypted devices between 2007 and 2013. In January 2010, Children’s reported to OCR a breach in which the PHI of 3,800 individuals was compromised when an unencrypted mobile device that had no password protection was lost. Then in July of 2013, Children’s reported an unencrypted device with PHI of nearly 2,500 individuals went missing in April of 2013. Children’s had some physical safeguards in place but overlooked that the laptop storage area was accessible by unauthorized employees.

Part of the reason for a hefty penalty is because OCR’s investigation found repeated failures to put appropriate security safeguards into place despite multiple information security risk assessments identifying threats and vulnerabilities that were easy to mitigate. With that said, Children’s was more than aware of the risk associated with having unencrypted mobile devices that contained PHI and yet continued to repeatedly violate standards of the HIPAA Security Rule.

“Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine,” OCR acting Director Robinsue Frohboese, said in a statement.

Click here to read the press release issued by OCR.

Previous Article
HIMSS17 Preview: Hacker Demos
HIMSS17 Preview: Hacker Demos

CynergisTek's Senior Penetration Tester John Nye provides a preview of his HIMSS17 hacker demos, "Wireless ...

Next Article
Time for Enlightened Leadership on IT Security in 2017
Time for Enlightened Leadership on IT Security in 2017

2017 is here, and, like any new year, promises both opportunities and challenges. The question is, what wil...


Subscribe to Our Monthly Cyber Bulletins with the Latest News, Tips and More!

First Name
Last Name
Thank You!
Error - something went wrong!