Don’t Delay Remedying a Data Breach


It’s often a good idea to take your time when doing something important to make sure it’s done properly, but when it comes to remedying a data breach, that approach is likely to end with a large fine.

Children's Medical Center of Dallas recently was assessed a $3.2 million civil monetary penalty after years of failing to comply with the Health Insurance Portability and Accountability Act following data breaches in 2010 and 2013.

Children’s even had a chance to request a hearing with the government to argue for a reduced penalty, but failed to act in time.

It’s unusual for the Health and Human Services Office for Civil Rights to resolve this type of behavior with a penalty as opposed to a resolution agreement, Arthur Fried, an attorney with Epstein Becker Green, told me.

Fried said Children’s decision not to challenge the penalty in a hearing or reach a settlement might have been influenced by a desire to avoid a corrective action plan, which is usually part of a settlement. Most corrective action plans run for three years, and require hospitals to work closely with the OCR on fixing HIPAA vulnerabilities.
“The hospital might have made the determination to pay the penalty and avoid the corrective action plan so as to avoid having the OCR breathing down their neck for several years,” Fried said.

Scott Summerall, a spokesman for the hospital, told me that Children’s fully cooperated with the OCR investigation into the breaches and has no reason to believe any patients were harmed by the breaches, which involved the loss of electronic devices that contained protected health information.

“We have decided to pay the imposed fine because the efforts to formally contest the claims would be a long and costly distraction from our mission to make life better for children,” Summerall said.

Stay on top of new developments in health law and regulation with a free trial to the Health Law Resource Center.

Learn more about Bloomberg Law and sign up for a free trial.