Shannon Hartsfield Salimone is a lawyer in our Tallahassee office
HIPAA privacy and security rules have been in place for many years. A recent enforcement action by the HHS Office for Civil Rights (OCR) makes it clear that delaying or avoiding compliance efforts could result in significant fines. On Feb. 1, 2017, OCR announced a $3.2 million penalty against Children's Medical Center of Dallas (Children's). In 2010, Children's reported to OCR that a portable device had been lost in an airport in 2009 that contained electronic protected health information (ePHI) of 3,800 individuals. In 2013, Children's reported a theft of an unencrypted laptop containing ePHI of 2,462 individuals. OCR conducted an investigation and found a number of areas of noncompliance with HIPAA spanning several years.
Acting OCR Director Robinsue Frohboese stated, "Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizeable fine."
OCR's Notice of Proposed Determination, which Children's did not challenge by the required hearing request deadline, provides additional details regarding the basis for the penalty. This recent OCR enforcement action serves as a reminder to covered entities and business associates that it is important to identify risks to ePHI. Once risks are identified, the entity must take reasonable steps to mitigate the risks.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
