Children’s Pediatric Hospital in Dallas, Texas has paid a fine of $3.2 million in accordance to several breaches of the Health Insurance Portability and Accountability Act.
Children’s Hospital is the seventh largest pediatric healthcare provider in the nation. This fine was a result of multiple disclosures of electronic protected health information and failure to comply with HIPAA’s security rule.
Children’s was provided instructions to grant a motion for a hearing, however they denied these instructions and proceeded to settle with the penalty payment.
On January 18, 2010 Children’s reported a breach of HIPAA to the Office of Civil rights due to the loss of a unencrypted Blackberry phone. This device contained ePHI of about 3800 individuals and went missing in the Dallas/Fort Worth International Airport. On July 5th, 2013 reported a separate incident involving an unencrypted laptop that was stolen from Children’s containing ePHI of 2,462 individuals.
Children’s hospital had implemented physical safeguards including security cameras and employee badges to limit and monitor outsider access, however necessary action was not taken to encrypt laptops and other electronic devices containing PHI. In 2007 PwC conducted a risk assessment and recommended that data encryption become a high priority and be put in place by the fourth quarter of 2008. Despite the information and recommendations from their risk assessment Children’s continued using unencrypted devices up through their most 2013 breach.
HIPAA Fines Include:
- Failure to implement physical safeguards for all workstations that access ePHI to restrict access to unauthorized users.
- Failure to follow third party security recommendations
- Failure to implement policies and procedures to govern the removal of electronic devices from the workplace.