Call us now ! Send us an email N Central Expy Dallas United States

Back to Top

Call Us Today!
(214) 217-8357

OCR Hits Children's Medical Center of Dallas

Lockdown Mobile Media

HIPAA compliance requires special security for mobile media

Another HIPAA penalty for a hospital, this time in our own backyard.  Children’s Medical Center of Dallas (Children’s) was penalized $3.2 million for its impermissible disclosure of electronic protected health information (ePHI) and non-compliance with HIPAA rules over many years.  Children’s Medical Center of Dallas is part of Children’s Health and is a pediatric hospital located in Dallas, Texas. 
In 2010, Children’s was forced to file a HIPAA breach report when it lost an unencrypted, non-password protected BlackBerry device at D/FW International Airport, which contained the ePHI of an estimated 3,800 individuals.  Children’s filed a separate HIPAA breach in 2013 when it reported a theft of an unencrypted laptop from the hospital containing ePHI of almost 2,500 individuals.  The Office for Civil Rights (OCR), the government enforcement department of HIPAA, was not impressed with the physical safeguards of badge access and security cameras in the laptop storage area.  Despite Children’s implementation of these safeguards, it provided access to the area to workers not authorized to access ePHI. 
Ultimately, a key factor in OCR’s decision was Children’s failure to implement risk management plans after it conducted a security analysis in 2007, which revealed an absence of risk management.  Then in 2008, an audit of threats and vulnerabilities by Price Waterhouse Coopers reveal encryption was necessary on all mobile devices, laptops, thumb drives and workstations.  Also, Children’s failure to use encryption on its mobile and laptop devices dating back to 2007 was a reason for its heavy penalty as these breaches likely would not have occurred had preventive measures been employed by Children’s.
It was Children’s lack of willingness to change that resulted in the fine.  Had Children’s changed its policies after it knew of the first breach, there would have been mitigating factors.  Children’s also lacked the disposition to fight the penalty to have it reduced.  Children’s never requested a hearing after OCR’s proposed determination letter, which may have benefitted the hospital by reducing the fine.
With Children’s being a pediatric hospital, it is likely that most of these individuals were children who will not know if their identities were compromised until they reach adulthood. While news of a HIPAA breach and penalty is always troublesome, this news is especially so to those of us who live and work in the Dallas metroplex.  If you have any concerns regarding your practice’s HIPAA compliance, contact the Shaw & Associates’ offices immediately.