Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By James Swann
A Dallas pediatric hospital is on the hook for a $3.2 million penalty after years of noncompliance with a federal health data security rule and after failing to request a hearing on the penalty.
Children’s Medical Center of Dallas filed data breach reports with the Health and Human Services Office for Civil Rights in 2010 and 2013 but kept using unencrypted laptops and phones until 2013, according to a notice of final determination posted Feb. 1. Both breaches involved the loss of electronic devices that contained protected health information.
The penalty is an indication the OCR will assess penalties if Health Insurance Portability and Accountability Act noncompliance is severe enough, despite a preference to settle cases, acting OCR Director Robinsue Frohboese said.
It’s unusual for this type of HIPAA matter to be resolved by a penalty rather than a resolution agreement, Arthur Fried, a health-care attorney with Epstein Becker Green in Washington, told Bloomberg BNA Feb. 1.
Fried said the hospital’s decision not to challenge the penalty, or reach a settlement, might have been influenced by a desire to avoid a corrective action plan. Most resolution agreements include a corrective action plan, which normally lasts three years, Fried said.
“The hospital might have made the determination to pay the penalty and avoid the corrective action plan so as to avoid having the OCR breathing down their neck for several years,” Fried said.
Fried said penalties of this level are typically reserved for situations where an organization is aware of a HIPAA vulnerability but takes no action to remedy it.
The OCR’s actions are a reflection of how it views long-term and repeated failures to fix known problems, Kirk Nahra, a health-care attorney with Wiley Rein in Washington, told Bloomberg BNA Feb. 1.
“Duration plus repeated problems plus failure to fix is a bad combination,” Nahra said.
The hospital was informed in September 2016 that it had the right to request a hearing to challenge the $3.2 million civil monetary penalty. However, it didn’t request one in time.
Scott Summerall, a spokesman for Children’s, told Bloomberg BNA the hospital has cooperated with the OCR investigation and has no reason to believe that any patients were affected by the loss of the electronic devices.
“We have decided to pay the imposed fine because the efforts to formally contest the claims would be a long and costly distraction from our mission to make life better for children,” Summerall said.
According to the notice of final determination, the OCR could have imposed a $6 million penalty on the hospital but decided to go with the minimum amount because of the lack of known harm to any individuals, Kevin Page, a health-care attorney with Waller Lansden Dortch & Davis LLP in Nashville, Tenn., said.
“One major takeaway is that failure to implement encryption or adopt effective device and media controls continues to be a hot topic that I anticipate will continue to see enforcement activity,” Page told Bloomberg BNA Feb. 1.
Eric Fader, a health-care attorney with Day Pitney LLP in New York, said he was “truly astounded” that the hospital didn’t come up with some response to the proposed penalty within 90 days, just to try to mitigate the penalty a bit.
Fader said the hospital was lucky the OCR deemed the violations weren’t due to willful neglect.
“I have to say, being told in 2007 and 2008 that you need to encrypt your device but not doing so until 2013, despite uncovering several data breaches in the interim, sure seems like willful neglect to me,” Fader said.
Fader said he was shocked that the hospital then compounded its violations by apparently not taking the regulatory process seriously.
To contact the reporter on this story: James Swann in Washington at email@example.com
To contact the editor responsible for this story: Kendra Casey Plank at firstname.lastname@example.org
The final determination is available at https://www.hhs.gov/sites/default/files/childrens-notice-of-final-determination.pdf..
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)