Ouch! The part about this that really stings is this opening line "Children’s Medical Center of Dallas (Children’s) was recently given an OCR HIPAA civil money penalty due to ePHI disclosure and several years of HIPAA non-compliance, according to a Department of Health and Human Services (HHS) release."

Several years of HIPAA non-compliance

“OCR’s investigation revealed Children’s noncompliance with HIPAA Rules, specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 9, 2013,” HHS explained.

Children’s also knew there was a risk in keeping unencrypted ePHI on its devices, dating as far back as 2007, the investigation found. Furthermore, unencrypted BlackBerry devices were distributed to nurses, while staff members were allowed to use unencrypted laptops and other mobile devices until 2013.

For example, Children’s submitted a Security Gap Analysis and Assessment during OCR’s investigation, for December 2006 to February 2007. There was an absence of risk management, and it was recommended that the medical center implement encryption to avoid lost PHI on any stolen or lost laptops.

We can't stress enough how critical it is to engage in risk management, perform a risk assessment and then take the remediation activities seriously.

Read the full article from HealthITSecurity Here