Earlier this month, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) civil money penalty of $3,217,000.00 against Children’s Medical Center of Dallas (Children’s), a pediatric hospital that is part of Children’s Health, the seventh largest pediatric health care provider in the nation. OCR based this penalty on its finding that Children’s failed to comply with HIPAA Security Rule over many years and that Children’s impermissibly disclosed unsecured electronic protected health information (ePHI) when it suffered two data breaches that were reportable to OCR.

The Breaches

  • On January 18, 2010, Children’s reported to OCR the loss of an unencrypted, non-password protected BlackBerry device at an airport on November 19, 2009. The device contained the ePHI of approximately 3,800 individuals.
  • On July 5, 2013, Children’s reported to OCR the theft of an unencrypted laptop from its premises sometime between April 4 and April 9, 2013. The device contained the ePHI of approximately 2,462 individuals.

Because Children’s devices were unencrypted, Children’s was obligated to report their loss, along with the unsecured ePHI they contained, to the HHS. Had Children’s devices been encrypted, it could have taken advantage of the “safe harbor” rule, pursuant to which covered entities and business associates are not required to report a breach of information that is not “unsecured.”

The Investigation

  • OCR’s investigation revealed that, in violation of HIPAA Rules, Children’s (1) failed to implement risk management plans, contrary to prior external recommendations to do so, and (2) knowingly and over the course of several years, failed to encrypt, or alternatively protect, all of its laptops, work stations, mobile devices, and removable storage media.
    • OCR’s investigation established that Children’s knew about the risk of maintaining unencrypted ePHI on its devices as far back as 2007.
    • Despite this knowledge, Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.

The Takeaways

  • Implement HIPAA Safeguards. HIPAA covered entities and business associates should implement appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI, as required by the Security Rule.
  • Don’t delay. If you are a HIPAA covered entity or business associate, your Legal and IT should ensure that the safeguards are implemented entity-wide and without any undue delays. Your employees travel for business and probably take work home. You quite literally could be one lost device away from a disastrous data breach and a multi-million dollar fine.
  • Encrypt your ePHI. An important technical safeguard is encryption of ePHI, which is not expressly, but effectively required under HIPAA, since only breaches of unsecured ePHI must be reported to the HHS. See 45 C.F.R. § 164.408.
  • Don’t lose your encryption key. The encryption key should be stored separately from the ePHI. As specified in the HIPAA Security Rule, ePHI is encrypted by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached.
  • Security is (usually) not a DIY project. For many covered entities and business associates, implementation of the Security Rule is outside of their wheelhouse. Hiring a reputable, skilled technology vendor to implement the physical safeguards, and hiring an knowledgeable outside legal counsel to ensure compliance with all aspects of the Security Rule, as well as to ensure a certain level of privilege protection, can go a long way to avoiding a reportable data breach.

As discussed in our previous post, “Top Five Data Breach Trend Predictions for 2017,” medical identity theft is likely to remain cybercriminal’s top target this year, since medical information is lucrative and easy to exploit. After all, compared to a stolen credit card number, a stolen medical record offers so much more personal information. Healthcare organizations need to ensure they have proper, up-to-date security measures in place, including data-breach response plans, ePHI encryption, and adequate employee training about the importance of security.