The Department of Health and Human Services’ Office for Civil Rights has announced the first Civil Monetary Penalty of the year: The Children’s Health HIPAA fine of $3.2 million is one of the largest penalties to date for a single HIPAA-covered entity.
The size of the CMP reflects the number of violations discovered and the length of time that the HIPAA violations were allowed to persist before Children’s Health eventually complied with Health Insurance Portability and Accountability Act Rules in 2013.
The Children’s Health HIPAA fine resolves violations of HIPAA Rules dating back to at least 2007. OCR became aware of the violations during an investigation of a breach of electronic protected health information (ePHI) that was reported in 2010. That incident involved the loss of a Blackberry device by an employee of the Children’s Medical Center of Dallas at Dallas-Fort Worth International Airport.
The loss of a device containing the ePHI of patients is not necessarily a major security breach. If portable electronic devices containing ePHI are encrypted, a loss or theft does not even need to be reported to OCR. However, in this case the device was not encrypted and was not even protected with a password. As a result, the ePHI of 3,800 patients was exposed.
Children’s Medical Center of Dallas also experienced another similar incident in 2010. An iPod containing the ePHI of 22 patients was stolen. While the incident was not as severe, the breach could have been prevented had the device been encrypted. Another incident occurred in 2013. On that occasion the device was an unencrypted laptop computer, although it was protected with a password. The ePHI of 2,500 individuals was exposed as a result of that incident.
The Health Insurance Portability and Accountability Act does not require HIPAA-covered entities to encrypt data on all portable devices. Data encryption is only an addressable issue but it must be considered as a safeguard against the exposure or theft of ePHI.
That means a HIPAA-covered entity must conduct a comprehensive risk assessment and determine whether the use of portable electronic devices poses a risk to the confidentiality, integrity, and availability of ePHI.
A covered entity must decide whether encryption is appropriate, and if not, which alternative measures should be put in place to protect ePHI. If encryption is not used, the decision as to why encryption has been rejected must be documented along with the alternative measures that have been selected in its place.
However, in this case, investigators determined that not only was data encryption rejected, alternative measures had not been implemented. While a covered entity could argue its case if a single breach had been experienced, multiple breaches demonstrate that there was a clear risk of ePHI exposure. At the very least, that risk should have been mitigated after the first breach. Had that been the case, it is possible a CMP could have been avoided. However, a series of data breaches with the same root cause – a lack of encryption – is almost certain to result in action being taken by OCR.
In the case of Children’s Medical Center of Dallas there was other evidence uncovered during the investigation showing the healthcare organization actively rejected encryption. A Security Gap Analysis was conducted by Strategic Management Systems, Inc., (SMS) in 2006/2007 which showed that there were risks to ePHI on portable devices. SMS recommended that encryption be used to protect sensitive data. PricewaterhouseCoopers (PwC) also conducted an assessment in 2008 which similarly resulted in recommendations being made to use encryption on portable devices used to store ePHI. However, it was not until 2013 when Children’s Medical Center of Dallas finally took the decision to implement encryption.
OCR determined that between 2007 and April 2013, Children’s Medical Center of Dallas was well aware of the risks to ePHI yet did not use encryption to protect portable electronic devices. Children’s Medical Center of Dallas continued to issue unprotected Blackberry devices to nurses and laptops and other devices to physicians and other staff.
OCR discovered that a full inventory of devices had not been conducted until November 9, 2012, and as a result, Children’s Medical Center of Dallas was unaware which devices needed to be protected. OCR also reports that Children’s Medical Center of Dallas lacked appropriate policies and procedures with regards to the movement of portable devices within its facilities and removal of devices from its premises.
The Children’s Health HIPAA fine of $3,217,000 was based on the number of days that the violations were allowed to persist. The Children’s Health HIPAA fine was calculated at the minimum rate of $1,000 per day. OCR determined that there was probable cause rather than willful neglect of HIPAA Rules. Had OCR determined there was willful neglect, the Children’s Health HIPAA fine could have been calculated at a rate of $10,000 per day.
The Children’s Health HIPAA fine should send a message to all covered entities about the need for encryption on portable devices used to store ePHI. If encryption is not chosen, other protections must be put in place that provide an equivalent amount of protection.