Issuance of Unencrypted Mobile Device Was Costly: $3.2 Million HIPAA Penalty Assessed in Disputed Penalty Proceeding with Waived Hearing

In what may have been the first reported HIPAA penalty in which a hospital contested the allegations, the Office of Civil Rights (“OCR”) announced on February 1, 2017 that it had levied a Civil Monetary Penalty of $3.2 million against Children’s Medical Center of Dallas (“Children’s”) for release of patient information on unencrypted Blackberry devices and a laptop.

OCR took pains to point out in its press release that, while Children’s had submitted written responses in opposition to the penalty proceeding, it waived its right to a hearing by failing to request a hearing by the required date. The amount of the penalty makes clear that if one wants to dispute an OCR proceeding, one must meet all required deadlines and file all required notices appropriately.

As when it made its decision to contest the OCR proceeding rather than settle, Children’s undoubtedly had the best intentions when it issued Blackberry devices for use by clinicians and others, undoubtedly for Blackberry’s vaunted security. But the hospital failed to encrypt the devices and, when they were lost, along with a laptop that contained unencrypted laptop (2,484 patient’s information in total), it paid dearly.

OCR’s Notice of Proposed Determination, included with the Notice of Final Determination of the penalty amount, noted that the penalty could have been much higher.  The maximum for the failure to encrypt, OCR noted, was $6,000,000 (over four years); the maximum penalty for the cited failure to have a mobile device management program over three years was $4,500,000; and a penalty for the unauthorized disclosure if the health information of 2,484 patients could have been $3,000,000.

OCR also observed that the final penalty could have been lower than the amount imposed if Children’s had attempted to reach a settlement. There are three messages from OCR in this press release and Notice: first, that OCR is serious about encryption (as if that needed repeating in the wake of several million-dollar-plus penalty settlements); it will strictly enforce its administrative proceedings rules against those who fight penalty proceedings, and that these entities may face vastly increased penalties; and, at the same time, OCR stands ready to negotiate penalty amounts.

As breaches and cyber-attacks increase, and HIPAA penalty amounts concomitantly grow, more and more entities will no doubt decide to dispute OCR’s allegations. If you need assistance with OCR inquiries and proceedings, please call Kenneth N. Rashbaum.