Failure To Learn From Own Mistakes Leads To $3.2 Million HIPAA Penalty

Written by: Richard Sheinis, Esq.

A mistake is nothing more than an opportunity to learn. Of course, you have to take advantage of that opportunity. Children’s Medical Center of Dallas failure to take that opportunity has led to a HIPAA civil monetary penalty of $3.2 million. In 2010, Children’s filed a report with OCR indicating the loss of an unencrypted, non-password protected BlackBerry at the Dallas/Fort Worth Airport on November 19, 2009. The BlackBerry had the ePHI of 3,800 individuals.

In 2013, Children’s filed another breach report with OCR in which they reported the theft of an unencrypted laptop. The laptop contained the ePHI of 2,462 individuals. An OCR investigation revealed Children’s failed to implement a risk management plan, despite a recommendation to do so, and they failed to implement encryption on all laptops, work stations, mobile devices and removable media until after the laptop was stolen. Children’s failure to implement encryption procedures, despite experiencing a similar breach involving an unencrypted mobile device several years earlier, was obviously a key factor in HHS levying such a large monetary penalty.

This is a great example of how a hacker or outside source was not the problem. The problem was Children’s failure to do the easy things, a risk management plan and encryption, that led to the penalty. Any health care provider can avoid these mistakes and penalties with a basic HIPAA risk analysis, a risk management plan, and learning from the mistakes of others. Actually, the risk analysis and risk management plan are specifically required by HIPAA regulations, “learning from the mistakes of others” is my regulation!