In a rare move by the OCR, it assessed a $3.2 million fine against Children’s Medical Center of Dallas (Children’s) after it issued a Notice of Proposed Determination against Children’s and Children’s failed to request a hearing.
The Notice was issued following the OCR’s investigation of two self-reported data breaches. The first involved the theft of an unencrypted Blackberry that was left at the Dallas airport on November 19, 2009, and was reported to the OCR on January 18, 2010. The Blackberry contained the protected health information (PHI) of 3,800 patients.
Children’s again self-reported a data breach on July 5, 2013. That breach occurred in April of 2013 and involved the theft of an unencrypted laptop containing the PHI of 2462 patients.
The OCR alleged that Children’s failed to implement risk management programs despite external recommendations by third party vendors and failed to deploy encryption or its equivalent in laptops, work stations, mobile devices and removable media until 4/13/13. Children’s was providing unencrypted Blackberries to its nurses.
The OCR issued a Notice of Proposed Determination, but Children’s did not request a hearing within 90 days; and therefore, submitted to all of the allegations and the proposed fine of $3.2 million.
It is unclear why Children’s did not request a hearing and attempt to settle or negotiate better terms with the OCR after the Notice, particularly when the 2009 incident is clearly outside the 6 year statute of limitations set forth in HIPAA.
At any rate, enforcement by the OCR continues and this determination certainly provides additional guidance to covered entities on challenging the OCR and the consequences of not requesting a hearing.