Children’s Medical Center of Dallas is a beloved institution with deep pediatric medical expertise. Some of the most difficult childhood cases from around the world end up there. Between January 2010 and April 2013, the electronic health information (ePHI) of about 6,200 Children’s Medical Center young patients was exposed in three separate breaches. Two of the breaches, affecting 60% of these patients, involved unencrypted smart devices holding ePHI which were lost outside of the Hospital complex. The other breach involved an unencrypted laptop holding ePHI lost in an operating storage area where the janitorial staff and others had unrestricted access. For these breaches, US Department of Health and Human Services’ Office of Civil Rights (OCR) recently fined Children’s Medical Center of Dallas $3,217,000.
What could have been done differently? Well, according to the Notice of Proposed Determination that OCR sent Children’s, Children’s might have followed the advice of their own experts. OCR found it was an “aggravating factor” that “Children’s continued to use unencrypted devices even after it had actual knowledge that encryption was necessary to ensure the security of ePHI.”
The government pointed to three events. Between December 2006 and February 2007, three years before the first breach, a well-regarded security expert recommended that Children’s use encryption to avoid loss of ePHI if laptops or other portable devices were lost or stolen. In August 2008, seventeen months before the first breach, a large accounting firm did a risk analysis and identified encryption as a “high priority” item and recommended that Children’s implement data encryption on its laptops and devices by the end of 2008.
In September 2012, more than two years after the first breach, the Office of Inspector General (OIG) of HHS issued a finding basically asking why Children’s workers were permitted to take the data off dedicated secure servers and carry it outside of the hospital complex in the first place. Children’s adopted a “sufficient” policy on the matter two months later.
Seven months after the OIG’s finding, there was a third breach when an unencrypted laptop was left in the wrong part of the facility. Right about that time, Children’s finally began enforcing encryption on all laptops and mobile devices which might contain ePHI.
It is worth thinking about how to respond to the advice of HIPAA experts. To start with, the decision to accept or reject advice always sits inside the covered entity. HIPAA requires that each covered entity clearly designate a person as the healthcare security official. This is not a task that can be outsourced to consultants. When consultants make recommendations, these must be assessed and responded to in a thoughtful way by the company.
In responding, HIPAA emphasizes that the entity has the “flexibility of approach” to consider the recommendations in the light of the entity’s size, complexity, and capabilities, technical infrastructure, the costs of security measures and the probability and criticality of potential risks to ePHI. This means Children’s in Dallas might respond to the expert differently than, say, Dr. Turner, a solo dermatologist in Navasota.
Any covered entity needs to engage with, rather than ignore, the advice of experts. If the advice is not appropriate, this should be documented and explained. If it is not feasible, this should be documented, explained and alternatives explored. If the advice is sound, the covered entity should get to work.
We don’t have all of the facts, but if the allegations in the Children’s Medical Center case are right, it is hard to understand why it took seven years to follow its experts’ recommendations about encryption.