Dallas hospital pays out $3.2 million for HIPAA breach

The Children’s Medical Center of Dallas recently agreed to pay a $3.2 million penalty to settle the U.S. Department of Health and Human Services’ (“DHS”) pursuit of sanctions against it for a HIPAA breach.  Children’s Medical Center failed to properly secure its ePHI, and it was inadvertently disclosed.

Children’s Medical Center is a pediatric hospital in Dallas, Texas, and is part of Children’s Health, the seventh largest pediatric healthcare provider in the nation.

First, in January of 2010, Children’s Medical Center filed a HIPAA Breach Notification Report with DHS to report that an unencrypted, non-password protected BlackBerry device had been lost at the Dallas/Fort Worth International Airport on November 19, 2009. The device contained the ePHI of approximately 3,800 Children’s Medical Center patients.

(Not sure what a Breach Notification Report is? Review your HIPAA policy for a refresher course on when you should file these reports, or email us to get a quote for a customized policy manual.)

In July of 2013, Children’s Medical Center filed another HIPAA Breach Notification Report, this time reporting that an unencrypted laptop was stolen from the hospital sometime in April. Children’s Medical Center reported that the laptop contained the ePHI of 2,462 individuals.

In general, HIPAA requires that you have written policies addressing three big topics: privacy, security, and breaches.  Children’s Medical Center wasn’t clueless when it came to security – it implemented some physical safeguards to protect the area where laptops were stored, including badge access and a security camera at one of the entrances.  However, it also allowed access to the area for workforce members who weren’t authorized to access ePHI.

Children’s Medical Center had failed to implement procedures that were compliant with HIPAA.  It did not implement risk management plans, nor did it use encryption on all of its laptops, workstations, mobile devices, or removable media storage.  And although it was aware of the  risk of storing unencrypted ePHI on electronic devices, Children’s Medical Center provided unencrypted BlackBerry devices to nurses.  It also allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.

If you want to learn more…

You can review the DHS press release here.  You can also read more about HIPAA audits, and why you need comprehensive policies and procedures here.

This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader. It should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.

© 2017 Jackson LLP, all rights reserved

About the author

Erin K. Jackson is Jackson LLP’s Managing Partner. She is responsible for all aspects of firm management, is a sought-after speaker for healthcare conferences, and is a published author. She is specifically focused upon the intersection of the patient experience in healthcare with the legal and ethical responsibilities of providers.