HHS' Office for Civil Rights fined Children's Medical Center of Dallas $3.2 million for failing to comply with HIPAA on multiple occasions.
The OCR issued a notice of proposed determination, which included ways in which Children's could file a request for a hearing. However, Children's did not request a hearing and paid the full $3.2 million.
The order is based on Children's Medical Center of Dallas' disclosure of electronic protected health information. In January 2010, Children's filed a report with the OCR. The report claimed Children's lost an unencrypted, non-password protected BlackBerry device — which contained the information of 3,800 patients — at the Dallas/Fort Worth International Airport in November 2009.
In July 2013, Children's filed another report, which underscored the theft of an unencrypted laptop from its premises. The laptop contained 2,462 patients' ePHI and was stolen between April 4 and April 9, 2013. Children's reported its laptop storage area had some safeguards — such as a security camera — but it also gave access to the area to employees without authorization to access ePHI.
After an investigation, OCR determined Children's did not implement risk management plans despite earlier recommendations to do so. OCR also revealed although Children's knew of the risk of storing unencrypted ePHI on devices, it continued to issue unencrypted BlackBerry devices to nurses through 2013. In fact, Children's didn't deploy encryption on its laptops and mobile devices until April 9, 2013.