Recently, the US Department of Health and Human Services’ Office of Civil Rights (OCR) fined Children’s Medical Center of Dallas $3,217,000 for various HIPAA violations. Typically, OCR’s HIPAA cases involve mutually agreed Resolution Agreements. In the Children’s case, there was no agreement. The information published by OCR regarding the Children’s fine provides interesting insights into the way the government thinks about these cases.
The government clearly said why it prefers mutually agreed resolutions. In the press release, the OCR’s acting director stated, “OCR prefers to settle cases and assist entities in implementing corrective actions plans.” Supervised remediation which can extend over many months requires consent or a court order following litigation. The Notice of Proposed Resolution to Children’s noted that settlement negotiations went on for ten months. We don’t know why the negotiations broke down. Maybe Children’s could pay the fine and wasn’t interested in extended governmental supervision.
The second remarkable thing about the case is the forbearance shown by OCR.
There were many “aggravating factors” in the case. To start with, there were repeated breach of ePHI on unencrypted devices. The Medical Center had been advised by experts many times that encryption was needed, yet unencrypted patient information kept being exposed by Children’s employees. Another source of irritation is subtler. The encryption standard is one of those rules that is “addressable” meaning that the healthcare entity must either adopt encryption or have a well thought out, documented alternative. Children’s seems to have claimed that it had “addressed” the issue of encryption years ago. The letters from OCR don’t say what Children’s claimed to have decided. They simply said “Children’s failed to appropriately document its decision.”
Another aggravating factor is the delay in giving the breach notice to the patients, the government and others. A HIPAA breach notice must be given “without unreasonable delay but in no case later than 60 calendar days after discovery of a breach.” There were three breaches in the Children’s case. Two involved more than 500 individuals. For these two breaches, timely notice had to go to the government, among others. OCR was informed of the 2010 breach exactly 60 days after the discovery of the breach. The government was informed of the 2013 breach 87 days after the discovery of the breach.
My observation about the government’s forbearance arises from the way that the government assessed the fine. The Civil Penalty Rules permit a sliding scale of fines based on the degree of fault. Fault can range from no fault to negligence (“reasonable cause”) to willful neglect or worse. For a negligent act, the government can assess a fine between $1,000 and $50,000 per individual affected per year. For willful neglect, the minimum fine is $10,000 per individual affected per year. Here, the government took the position that the Center was ordinarily negligent rather than willfully neglect. Given the ignoring of expert advice on encryption over many years, that is a very generous view of the facts by the government. Children’s also argued that no one was harmed in fact. The government accepted that and assessed the fine at only $1000 per individual rather than a higher number. This is, again, a very charitable view. Due to Children’s practice, there are tragic stories where even the medical excellence of its staff is not enough to save young lives. We can only guess whether some of the parents of these young patients received a notice and had to relive their loss.
The case ultimately provides evidence for the belief common among practitioners that in HIPAA matters, the government doesn’t require perfection, but does require an honest, well documented effort commensurate with the resources of the company entrusted with protected health information. That having been said, there is no good reason to test the boundaries of the OCR’s good will.