The Office of Civil Rights has slapped a $3.2 million penalty on Children’s Medical Center of Dallas for two negligent ePHI disclosures. Violating HIPAA rules is expensive. The case, which dates back to 2009, is a study in doing everything wrong. Healthcare tech consultants can learn a lot from it.
On November 19, 2009, a BlackBerry belonging to Children’s went missing at Dallas-Fort Worth Airport. It had electronic protected health information (ePHI) on it for about 3,800 individuals. It didn’t have encryption, or even a password. Letting employees carry unencrypted devices with them was apparently standard practice at the time. It had ignored warnings from as far back as 2007 that this was a dangerous practice.
Three and a half years later, Children’s Medical Center hadn’t learned anything from the experience. In April of 2013, a laptop computer was stolen from an operating room storage area. It wasn’t encrypted. It didn’t have a password. What it had was ePHI on 2,462 people.
The area had required badge access and had a security camera, but people without authority to access ePHI routinely went into the area. Officials have speculated that a member of the cleaning staff may have stolen the computer.
The OCR was especially unimpressed by the failure to set up risk management plans. In 2013, Children’s Medical Center was still handing out unencrypted BlackBerry devices. Up to that point, management just didn’t learn. It finally started using encryption on laptops and phones after the April 2013 theft. The best that can be said is that when OCR issued its Notice of Proposed Determination, the management was contrite enough that it didn’t request a hearing but just accepted the judgment.
The ongoing crackdown
This wasn’t the first multi-million-dollar HIPAA penalty of 2017. OCR has been cracking down on privacy and security breaches at an increasing rate.
In January, MAPFRE Life Insurance Company of Puerto Rico accepted a $2.2 million settlement. A USB drive had been stolen from its IT department in 2011; it contained the names and Social Security numbers of 2,209 people. The reason for the high penalty wasn’t just the data loss, but MAPFRE’s failure to conduct risk analysis and set up a risk management plan. It also didn’t set up encryption on laptops and removable media till 2014.
In 2016, OCR received $22,855,300 in penalties for alleged HIPAA violations. Seven of the settlements were for more than a million and half dollars. Not all violations result in monetary penalties. The severity of the violations is a more important factor than the number of people affected. In three cases, there were monetary penalties even though the breaches affected fewer than 500 people.
Most of the large penalties in 2016 involved computer-related negligence. One was for letting TV crews film patients without their consent and over the objections of a medical professional.
The value of encryption
A policy of encrypting all devices that could hold ePHI is basic common sense, given the risks. HIPAA doesn’t, strictly speaking, require encryption, but a covered organization needs to provide some form of protection that’s at least as good and document its justification. It could, for example, lock a storage device in a closet and enforce strict access control. In most cases, encrypting data everywhere is simpler than the alternatives. It’s a very strong defense against claims that a breach occurred.
Password protection isn’t enough by itself. Someone who steals a computer can put its disk drive into another machine and bypass password requirements. Encrypted storage is safe even from someone with physical possession of the computer.
Compliance avoids costs
The Children’s Medical Center case is an excellent study in what a healthcare provider should not do. Carelessness with confidential information is expensive, as case after case has shown.
A provider that protects data avoids huge costs, and it keeps its reputation high.