The second major HIPAA fine of the year, which comes at a larger price tag than the first we reported, lands in the lap of Children’s Medical Center of Dallas because they did not make changes after their first breach in 2009.

On February 1, the Office for Civil Rights (OCR) posted a press release about another HIPAA settlement, to the tune of $3.2 million. The press release provided details about two different breach incidents by Children’s Medical Center of Dallas (Children’s).

The first breach occurred on November 19, 2009 when an unencrypted BlackBerry device was lost at the Dallas/Fort Worth International Airport. The device reportedly contained the electronic protected health information (ePHI) of approximately 3,800 patients. Unfortunately, even after this initial breach, Children’s did not acknowledge the importance of encryption in safeguarding protected health information (PHI).

Reminder: Encryption or an alternate method of protecting the data on a mobile device is a HIPAA requirement.

The second breach occurred in April 2013 when an unencrypted laptop was stolen from Children’s. The laptop reportedly contained ePHI for approximately 2,500 individuals. Children’s had implemented some physical safeguards including badge access and a security camera to one of the entrances of the laptop storage area. However, Children’s also provided access to the area to staff who were not authorized to access ePHI.

During the investigation, the OCR determined that Children’s had not complied with many HIPAA Rules, such as implementing risk management plans and encrypting mobile devices, until April 2013.That means that despite the loss of the BlackBerry in 2009, Children’s did not implement encryption until after the theft of the laptop in 2013. Records also indicate that Children’s knew the risk of not implementing encryption as far back as 2007.

The OCR Acting Director Robinsue Frohboese stated: “Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential… Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”

The OCR seems to be using this case and the large fine as an example for Covered Entities to start implementing their risk management plans now, before a breach occurs.

Sign up with HIPAAgps today and start using our HIPAA Compliance Tools to help you with your Risk Management Plan.