On February 1, 2017, the Department of Health and Human Services, Office for Civil Rights (“OCR”) announced that the Children’s Medical Center of Dallas (“Children’s”) has paid a civil monetary penalty (“CMP”) of $3.2 million to resolve multiple HIPAA violations over several years. This CMP announcement raises a number of questions, such as whether it was financially advantageous to choose to accept a CMP rather than a proposed financial settlement and corrective action plan, and whether imposing millions of dollars in penalties on a non-profit children’s hospital strikes the right balance of promoting compliance versus taking funds away from patient care (although OCR applied the minimum CMP amounts available for the violations).

Take-Away Considerations

  • Covered entities and business associates must conduct a comprehensive risk analysis and must take steps to address gaps identified as part of the risk analysis.
  • Policies and procedures should address all required elements of the Privacy and Security Rules.
  • “Addressable” does not equal optional. The encryption implementation specification is addressable as opposed to required. Therefore, encryption must be implemented if, after a risk assessment, the entity has determined that the specification is a “reasonable and appropriate” safeguard in its risk management of the confidentiality, integrity, and availability of e-PHI. If the covered entity or business associate concludes that the addressable encryption implementation specification is not reasonable and appropriate, then it must document that determination and implement an equivalent alternative measure.
  • Although most entities facing CMPs choose to settle, the costs of a corrective action plan may make accepting a CMP a more attractive alternative, especially if OCR is seeking the minimum level of penalties.

Read the full analysis here