- Children’s Medical Center of Dallas (Children’s) was recently given an OCR HIPAA civil money penalty due to ePHI disclosure and several years of HIPAA non-compliance, according to a Department of Health and Human Services (HHS) release.
Children’s paid a full civil money penalty of $3.2 million, and was also issued a Notice of Final Determination.
A breach report was first filed with OCR on January 28, 2010, when an unencrypted, non-password protected Blackberry was reported lost. Approximately 3,800 individuals had their ePHI on the device.
Nearly three years later, a separate breach notification was submitted. In this case, an unencrypted laptop was stolen between April 4 and April 9, 2013. That device reportedly contained the ePHI of 2,462 individuals.
“OCR’s investigation revealed Children’s noncompliance with HIPAA Rules, specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 9, 2013,” HHS explained.
Children’s also knew there was a risk in keeping unencrypted ePHI on its devices, dating as far back as 2007, the investigation found. Furthermore, unencrypted BlackBerry devices were distributed to nurses, while staff members were allowed to use unencrypted laptops and other mobile devices until 2013.
For example, Children’s submitted a Security Gap Analysis and Assessment during OCR’s investigation, for December 2006 to February 2007. There was an absence of risk management, and it was recommended that the medical center implement encryption to avoid lost PHI on any stolen or lost laptops.
“Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential” OCR Acting Director Robinsue Frohboese said in a statement. “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”
One of the leading factors in OCR’s determination of the civil money penalty was that Children’s failed to implement access controls. This included encryption and decryption capabilities, or an alternative measure, which is required under HIPAA regulations. The medical center also did not document its decision for not implementing encryption and decryption, along with its reasoning behind the move.
OCR also determined that Children’s failed “to implement sufficient policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of its facility.” Children’s was also required under HIPAA rules to have policies and procedures on how ePHI is moved within its facility.
A separate 2008 PwC analysis of ePHI threats and vulnerabilities also determined encryption to be necessary for Children’s.
“The PwC Analysis also determined that a mechanism was not in place to protect data on a laptop, workstation, mobile device, or USB thumb drive if the device was lost or stolen and identified the loss of data at rest through unsecured mobile devices as being ‘high’ risk,” the OCR Notice of Proposed Determination stated. “PwC identified data encryption as a ‘high priority’ item and recommended that Children's implement data encryption in the fourth quarter of 2008.”
The HIPAA Security Rule considers data encryption to be an “addressable” specification for access controls. However, covered entities should consider encryption when transmitting ePHI, especially over the internet.
“As business practices and technology change, situations may arise where EPHI being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities,” according to the HIPAA Security Series. “Where risk analysis shows such risk to be significant, a covered entity must encrypt those transmissions under the addressable implementation specification for encryption.”
Organizations should consider several issues when debating implementing encryption. For example, entities should review how it transmits ePHI and how often it transmits ePHI. Furthermore, it is important to conduct a risk analysis to further determine if encryption is necessary for secure ePHI transmission.
Finally, covered entities should review different methods of encryption that would be used to protect ePHI during transmission.
“Together with reasonable and appropriate Administrative and Physical Safeguards, successful implementation of the Technical Safeguards standards will help ensure that a covered entity will protect the confidentiality, integrity and availability of EPHI,” HHS writes.