A February 2 article in Bloomberg BNA's Privacy Law Watch and other publications, "Hospital Hit With $3.2M Penalty for Ongoing Health Data Security Lapses," reported that Children's Medical Center of Dallas received a $3.2 million civil money penalty after years of noncompliance with HIPAA rules and after failing to request a hearing on the penalty.  Day Pitney's Eric Fader was quoted in the article.

The fine was imposed by the U.S. Department of Health and Human Services' Office for Civil Rights (OCR). The hospital filed data breach reports with OCR as early as 2010 but kept using unencrypted laptops and other mobile devices until 2013, notwithstanding that the breaches involved the loss of unencrypted devices containing protected health information and that prior internal analyses had recommended encryption.

Eric told Bloomberg BNA that he was "truly astounded" that the hospital didn't submit a request for a hearing within the prescribed time period in an attempt to reduce the penalty amount. He said be believed the hospital was lucky that OCR deemed the violations not to have been due to willful neglect. "I have to say, being told in 2007 and 2008 that you need to encrypt your devices but not doing so until 2013, despite uncovering several data breaches in the interim, sure seems like willful neglect to me," Eric said.
 
Eric also said he was shocked that the hospital compounded its violations by apparently not taking the regulatory process seriously.

For more articles and regular updates on legislative changes, regulatory developments and other news of interest to businesses, professionals and investors in the healthcare industry, please subscribe to Day Pitney's mailing lists.

Click here for more Healthcare Blogs from Day Pitney

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.