Children’s Medical Center of Dallas will pay a $3.2 million settlement—the sixth-largest in history—for failing to comply with HIPAA.
The alleged multiple offenses date back to 2009 when a BlackBerry was lost at Dallas-Fort Worth airport. It was carrying about 3,800 patients’ records. A more recent incident in 2013 involves the theft of an unencrypted laptop computer with 2,462 patients’ records from the hospital, according to a statement.
Subsequent federal investigations revealed “a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media.”
Children’s provided its nurses with unencrypted BlackBerries until 2013 despite knowing the risk of maintaining unencrypted electronic protected health information on its devices as far back as 2007, the statement said.
HIPAA does not mandate encryption, but it does require healthcare delivery to “address” data security if encryption is not used.
This settlement is the first since President Donald Trump took office last month.
Privacy lawyer Kirk Nahra with Wiley Rein in Washington, D.C., said it’s too early to tell – and the enforcement action against Childrens’ isn’t a good test case – to determine the Trump administration’s stance on privacy and security enforcement.
“It’s a pretty normal case in the sense that it was repeated problems over a period of time that weren’t fixed,” Nahra said. “That’s a recipe for OCR to act.”
During its eight years, the Obama administration reached 41 HIPAA settlements totaling more than $51 million, with 19 for $1 million or more. It’s last, with the MAPFRE Life Insurance Company of Puerto Rico for $2.2 million, came the week before President Barack Obama left office.
Nahra said it will be interesting to see the new administration’s approach to enforcing HIPAA security rule revisions in the HITECH provisions of the American Recovery and Reinvestment Act of 2009.
Specifically, HITECH put business associates on the same legal footing as hospitals, physician practices, claims clearinghouses and health plans – so-called HIPAA covered entities – in terms of privacy and security rule liabilities. The law also mandated OCR conduct a series of HIPAA audits of business associates. The audits began last March.
“The issue is, how do they treat a business associate?” Nahra said. “That’s one of the things they might get out of this series of audits, what the business associate climate is like. I don’t think they have an idea right now.”