The Office for Civil Rights (OCR) issued a Final Notice that Children’s Medical Center of Dallas among other things failed “to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media.” The OCR news release on February 1, 2017 entitled “Lack of timely action risks security and costs money” about the Notice of Final Determination for the fine of $3.217 million for violation of Health Insurance Portability and Accountability Act of 1996 (HIPAA) included these statements:

OCR’s investigation revealed Children’s noncompliance with HIPAA Rules, specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 9, 2013. 

Despite Children’s knowledge about the risk of maintaining unencrypted ePHI [electronic protected health information] on its devices as far back as 2007, Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013. 

Hopefully this Final Determination will be a wake-up call to other HIPAA covered entities.