By James Swann for Bloomberg BNA
A Dallas pediatric hospital is on the hook for a $3.2 million penalty after years of noncompliance with a federal health data security rule and after failing to request a hearing on the penalty.
Children’s Medical Center of Dallas filed data breach reports with the Health and Human Services Office for Civil Rights in 2010 and 2013 but kept using unencrypted laptops and phones until 2013, according to a notice of final determination posted Feb. 1. Both breaches involved the loss of electronic devices that contained protected health information.
The penalty is an indication the OCR will assess penalties if Health Insurance Portability and Accountability Act noncompliance is severe enough, despite a preference to settle cases, acting OCR Director Robinsue Frohboese said.
It’s unusual for this type of HIPAA matter to be resolved by a penalty rather than a resolution agreement, Arthur Fried, a health-care attorney with Epstein Becker Green in Washington, told Bloomberg BNA Feb. 1.
Fried said the hospital’s decision not to challenge the penalty, or reach a settlement, might have been influenced by a desire to avoid a corrective action plan. Most resolution agreements include a corrective action plan, which normally lasts three years, Fried said.
“The hospital might have made the determination to pay the penalty and avoid the corrective action plan so as to avoid having the OCR breathing down their neck for several years,” Fried said.
Fried said penalties of this level are typically reserved for situations where an organization is aware of a HIPAA vulnerability but takes no action to remedy it.
The OCR’s actions are a reflection of how it views long-term and repeated failures to fix known problems, Kirk Nahra, a health-care attorney with Wiley Rein in Washington, told Bloomberg BNA Feb. 1.
“Duration plus repeated problems plus failure to fix is a bad combination,” Nahra said.
The hospital was informed in September 2016 that it had the right to request a hearing to challenge the $3.2 million civil monetary penalty. However, it didn’t request one in time.
Scott Summerall, a spokesman for Children’s, told Bloomberg BNA the hospital has cooperated with the OCR investigation and has no reason to believe that any patients were affected by the loss of the electronic devices.
“We have decided to pay the imposed fine because the efforts to formally contest the claims would be a long and costly distraction from our mission to make life better for children,” Summerall said.
Dodging Maximum Penalty
According to the notice of final determination, the OCR could have imposed a $6 million penalty on the hospital but decided to go with the minimum amount because of the lack of known harm to any individuals, Kevin Page, a health-care attorney with Waller Lansden Dortch & Davis LLP in Nashville, Tenn., said.
“One major takeaway is that failure to implement encryption or adopt effective device and media controls continues to be a hot topic that I anticipate will continue to see enforcement activity,” Page told Bloomberg BNA Feb. 1.
Eric Fader, a health-care attorney with Day Pitney LLP in New York, said he was “truly astounded” that the hospital didn’t come up with some response to the proposed penalty within 90 days, just to try to mitigate the penalty a bit.
Fader said the hospital was lucky the OCR deemed the violations weren’t due to willful neglect.
“I have to say, being told in 2007 and 2008 that you need to encrypt your device but not doing so until 2013, despite uncovering several data breaches in the interim, sure seems like willful neglect to me,” Fader said.
Fader said he was shocked that the hospital then compounded its violations by apparently not taking the regulatory process seriously.