A February 2 article in Bloomberg BNA's Privacy Law
Watch and other publications, "Hospital Hit With
$3.2M Penalty for Ongoing Health Data Security
Lapses," reported that Children's Medical Center of
Dallas received a $3.2 million civil money penalty after years
of noncompliance with HIPAA rules and after failing to request a
hearing on the penalty. Day Pitney's Eric Fader was
quoted in the article.
The fine was imposed by the U.S. Department of Health and Human
Services' Office for Civil Rights (OCR). The hospital filed
data breach reports with OCR as early as 2010 but kept using
unencrypted laptops and other mobile devices until 2013,
notwithstanding that the breaches involved the loss of unencrypted
devices containing protected health information and that prior
internal analyses had recommended encryption.
Eric told Bloomberg BNA that he was "truly astounded"
that the hospital didn't submit a request for a hearing within
the prescribed time period in an attempt to reduce the penalty
amount. He said be believed the hospital was lucky that OCR deemed
the violations not to have been due to willful neglect. "I
have to say, being told in 2007 and 2008 that you need to encrypt
your devices but not doing so until 2013, despite uncovering
several data breaches in the interim, sure seems like willful
neglect to me," Eric said.
Eric also said he was shocked that the hospital compounded its
violations by apparently not taking the regulatory process
seriously.
For more articles and regular updates on legislative changes, regulatory developments and other news of interest to businesses, professionals and investors in the healthcare industry, please subscribe to Day Pitney's mailing lists.
Click here for more Healthcare Blogs from Day Pitney
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.