$3.2 Million HIPAA Fine: An AnalysisThe Reasons Behind OCR's Tough Penalty in Case Against Children's Medical Center of Dallas
Federal HIPAA enforcers smacked a Texas pediatric hospital with a whopping $3.2 million civil monetary penalty after investigating breaches involving unencrypted mobile devices and uncovering longstanding failures to comply with HIPAA.
In a Feb. 1 statement, the Department of Health and Human Services' Office for Civil Rights says it imposed the hefty penalty on Children's Medical Center of Dallas "based on its impermissible disclosure of unsecured electronic protected health information and non-compliance over many years with multiple standards of the HIPAA Security Rule."
A key lesson to be learned from this case "is that the Office for Civil Rights can only be pushed so far when a covered entity or business associate is shown to have systemic, management-driven failures in putting into place safeguards to protect its health information," says privacy attorney David Holtzman, vice president at the security consulting firm CynergisTek.
This is only the third civil monetary penalty OCR has issued. The penalties come only in more egregious cases that involve a lack of cooperation with investigators or the failure to take recommended steps to correct security deficiencies. In most major breach cases, the HIPAA enforcer issues less severe financial settlements and corrective action plans.
OCR says Children's Medical Center, which is part of Children's Health, the seventh largest pediatric healthcare provider in the U.S., declined an opportunity for a hearing on a proposed determination on the case prior to OCR issuing on Jan. 18 its notice of final determination, which spells out terms of the civil monetary penalty.
"OCR issued a Notice of Proposed Determination ... which included instructions for how Children's could file a request for a hearing. Children's did not request a hearing. Accordingly, OCR issued a Notice of Final Determination and Children's [has] paid the full civil money penalty of $3.2 million," OCR says.
The hefty financial penalty in the case, stemming from the investigation of breaches affecting a total of only about 6,000 individuals, sends a strong message.
"The OCR has clearly communicated the penalties and associated factors to determine [the fines] that would apply to breaches," says Rebecca Herold, president of SIMBUS LLC, a privacy and security cloud services firm and CEO of The Privacy Professor, a consultancy. "OCR simply applied the math to the equations they have documented ... that they would use for determining breach penalties," she says, referring to a table of fines used for calculating penalties.
Breaking Down the Penalty
OCR's notice of final determination documents how the civil monetary fine was broken down based on the types of violations:
- Access controls - encryption and decryption: $923,000;
- Device and media controls: $772,000;
- Impermissible disclosures: $1.52 million.
"They were being generous and cut the Children's Medical Center of Dallas a break," Herold says, based on what OCR disclosed about its final determination. "Looking at the documented history of inadequate security controls, and what appears to be lack of risk assessments, or at least taking actions for the findings of risk assessments, it seems they may have legitimately been able to apply the highest tier of penalty, for willful neglect, and possibly also higher penalties for lack of risk assessments, and maybe even lack of adequate training," she says.
The enforcement action against Children's Medical Center is rooted in OCR investigations into breaches in 2009 and 2013 that both involved unencrypted mobile devices.
OCR notes that on Jan. 18, 2010, Children's filed a breach report about the Nov. 19, 2009, loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport. The device contained the ePHI of approximately 3,800 individuals.
On July 5, 2013, the Dallas hospital filed another breach report on the theft of an unencrypted laptop from its premises sometime between April 4 and April 9, 2013. That device contained the ePHI of 2,462 individuals.
"Although Children's implemented some physical safeguards to the laptop storage area - for example, badge access and a security camera at one of the entrances - it also provided access to the area to workforce not authorized to access ePHI," OCR says.
OCR adds in its statement that its investigation "revealed Children's noncompliance with HIPAA rules, specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 9, 2013."
Despite Children's Medical Center's knowledge about the risk of maintaining unencrypted ePHI on its devices as far back as 2007, the hospital issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013, OCR says.
HIPAA Civil Monetary Penalty Cases
|Cignet Health||$4.3 million|
|Children's Medical Center Dallas||$3.2 million|
The OCR action taken against Children's Medical Center is the second largest civil monetary penalty ever levied by the agency.
The largest was a $4.3 million fine against Cignet Health in 2011 for failure to provide 41 patients with access to their health information, and then failure to cooperate with federal investigators. The other case involved a $239,000 fine in 2016 against Lincare Inc. after an employee left behind documents containing the PHI of 278 patients when moving to a new residence.
Failure to Act
The key issues in the Children's Medical Center case, says privacy attorney Kirk Nahra of the law firm Wiley Rein, "is the duration of the problems and the failure to implement good fixes to known problems. ... It is always good advice to fix problems that you know you have."
OCR's notice of final determination to Children's notes that the medical center was aware of risks posted by its unencrypted mobile devices as early as 2007, but did not act to fully mitigate those issues until about six years later.
OCR points out that as a result of a gap analysis conducted for Children's by an independent firm in 2006 and 2007, and a separate analysis of threats and vulnerabilities to certain ePHI conducted in 2008 by a different firm, "Children's had actual knowledge of the risks to encrypted ePHI at rest by at least March 2007, at least one year prior to the reported security incidents."
In addition to those two risk analyses, in September 2012, the HHS Office of the Inspector General also issued the findings from its own audit of Children's that found insufficient security controls for devices such as smartphones and USB drives.
OCR's final determination document notes: "Appropriate commercial encryption products were available to achieve encryption of laptops, workstations, mobile devices, and USB thumb drives in use by Children's staff by, at least, the time of the analysis in 2008; however, Children's had not implemented encryption on all devices as of April 9, 2013.
Medical Center's Response
A Children's Medical Center of Dallas spokesman tells Information Security Media Group that OCR has been investigating the loss of three electronic devices for the last six years. "Two of the devices contained patient information. We have fully cooperated with the investigation, and we have no reason to believe that any patient or their families were affected by the loss of these devices."
The hospital decided to pay the fine, the spokesman says, "because the efforts to formally contest the claims would be a long and costly distraction from our mission to make life better for children."
Children's has enacted "many levels of protection across our variety of devices," he says. "We train our colleagues on the importance of protecting patient information, and the methods by which they do so. This is why we continually upgrade our encryption methods and implement new means by which we secure all of our information."
Lessons to Learn
CynergisTek's Holtzman says the Children's Medical Center case is unprecedented in several respects, citing the multiple breaches involving unencrypted devices and the medical center's alleged failure to mitigate security issues.
"Stunningly, Children's could not bring itself to reach an agreement with OCR that would have allowed the agency's compliance review and investigation to be resolved informally through Children's putting into place the administrative policies and processes required to comply with the HIPAA privacy and security standards," he adds.
The OCR action against Children's serves as a warning to others to put into place effective technologies and processes to safeguard PHI when a risk analysis identifies gaps and controllable vulnerabilities.
"The C-suite and boards of directors must ensure they are engaged in the overall approach to information security through oversight and accountability for the organization's approach to safeguarding PHI," Holtzman says.
While the penalty against Children's Medical Center represents the first HIPAA enforcement action by HHS under the Trump administration, the OCR final determination was worked out while President Obama was still in office.
"I don't expect any substantial change in enforcement activities in any direction [under Trump], unless there is some massive budget cut," Nahra says. "I can't see even this administration saying 'go easy on people that you have been investigating'. We may see a modest slowdown in new investigations, but for now, this is the same [OCR] people doing the same things."
Herold notes: "I anticipate, given the Trump team's own personal experiences with being hacked, along with those of the Republican National Committee, Democratic National Committee and Clinton teams, that the White House now realizes the need to have strong cybersecurity requirements in place. So, if anything, I would see more enforcement of HIPAA as opposed to less."