HIPAA Noncompliance Proves Risky and Expensive for Covered Entities


The failure to comply with several parts of the Health Insurance Portability and Accountability Act security rule cost a Texas hospital $3.2 million.  

The penalties and Notice of Final Determination come after a Department of Health and Human Services Office for Civil Rights investigation, OCR announced Feb. 1.

Children’s Medical Center of Dallas filed two separate breach reports with OCR, in 2010 and 2013. In January 2010, the hospital notified OCR of the loss of an unencrypted, non-password protected BlackBerry device containing the electronic protected health information of approximately 3,800 individuals.

In July 2013, the hospital reported to OCR’s the theft of an unencrypted laptop from its premises containing the ePHI of 2,462 individuals.

In addition to the impermissible disclosure of unsecured ePHI, OCR investigation found that, despite previous external recommendations, the hospital failed to implement risk management plans. The investigation also found that the hospital failed to encrypt all of its laptops, work stations, mobile devices and removable storage media until 2013, despite knowledge of security risks dating back to 2007.

Because the hospital didn’t request a hearing in response to the Notice of Proposed Determination, it must pay the full civil monetary penalty of $3.2 million.

Settling for (Hopefully) Less

OCR hopes a January 2017 settlement will drive home how important it is for covered entities to implement risk management plans. 

In September 2011, and MAPFRE Life Insurance Company of Puerto Rico reported to OCR the theft of a USB drive containing ePHI of 2,209 individuals, including complete names, dates of birth and Social Security numbers.

OCR’s investigation found impermissible disclosure of ePHI, failure to encrypt laptops and removable storage media until September 2014 and failure to conduct risk analysis and implement risk management plans, contrary to prior representations.

The $2.2 million settlement is based on potential HIPAA noncompliance and MAPFRE’s financial standing.

Design benefit plans and respond quickly and confidently to a range of potential issues with a free trial to the Benefits Practice Resource Center.