OCR Imposes $3.2 Million Penalty for BlackBerry Device Breach.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) civil money penalty (CMP) of $3.2 million against Children’s Medical Center of Dallas (“Children’s”).  OCR found that the hospital   impermissibly disclosed unsecured electronic protected health information (ePHI) and failed to comply with several HIPAA Security Rule standards for many years.

Children’s filed an initial breach report with OCR on January 18, 2010, indicating the loss of an unencrypted, non-password protected BlackBerry device containing the ePHI of 3,800 individuals.  In 2013, the hospital filed a separate HIPAA Breach Notification Report to report the theft of an unencrypted laptop from its premises.  The laptop contained the ePHI of 2,462 individuals.  Although Children’s implemented some physical safeguards in the laptop storage area, it also provided unauthorized personnel with access to the area.

OCR’s investigation revealed that Children’s failed to implement risk management plans in accordance with HIPAA rules.  The hospital had received prior external recommendations to do so.  Children’s also failed to use encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 9, 2013.  Further, Children’s issued unencrypted BlackBerry devices to nurses, and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.  The usage of unencrypted devices was allowed despite Children’s knowledge of the risk of maintaining unencrypted ePHI on its devices as far back as 2007.

OCR emphasized that ensuring adequate security precautions is essential to protect ePHI.  Inadequate mobile device precautions can risk security and cost money, as evidenced by the CMP.  Such precautions include identifying and immediately correcting all security risks.

Mobile device security tips that organizations may consider include the following:

1. Create management, accountability, and oversight structures for covered entities;
2. Establish policies and procedures for mobile device use;
3. Provide training on the BYOD policy;
4. Keep an inventory of personal mobile devices that are authorized to access and transmit ePHI;
5. Use a device key, password, or other user authentication to verify user identity;
6. Install and/or enable encryption that protects ePHI stored on and sent by mobile devices;
7. Install or enable firewalls and regularly update security software;
8. Install or activate remote wiping, disabling and device shutdown tools;
9. Reinforce that devices should remain under personal control or under lock and key;
10. Install radio frequency identification (RFID) tags to help locate lost or stolen mobile devices;
11. Disable or do not install file-sharing applications on mobile devices used for ePHI transmission;
12. Establish electronic processes to prevent unauthorized parties from destroying or altering ePHI;
13. Train workforce on procedures to access ePHI using mobile devices;
14. Educate clinicians on the risks of data breaches, HIPAA violations, and fines; and
15. Delete all stored ePHI before a device is reused or discarded.

The OCR report is available at:

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/Childrens.