Lessons Learned from the OCR Fine of Children’s Medical Center of Dallas

By Howard Burde, Howard Burde Health Law, LLC | @BurdeLaw

The OCR $3.2 million fine of Children’s Medical Center of Dallas indicates not simply the importance of encryption for HIPAA security, but also the inevitable system vulnerabilities created by users. 

You know, human beings.  One of the breaches involved the loss of an unencrypted, non-password protected Blackberry device at an airport. The device contained PHI for 3,800 patients.  How might Children’s have avoided this situation? 

Most covered entities that permit use of BYOD, limit use by prohibiting downloading of PHI.  Double or triple factor authentication for access to a database, sure.  But, covered entities and business associates should never permit downloading of PHI onto mobile devices. 

There is no reason to do so.  Even those of us who treasured (yes past tense) our Blackberry keyboards would acknowledge the limited utility of hosting that much PHI on a handheld device. In its announcement OCR also referenced the failure of Children’s to implement recommended risk management plans, and recommended encryption generally and specifically for laptops and mobile devices. 

This failure points out another risk for covered entities and business associates.  The problem with getting sound advice is that you will be expected to adopt it.  OCR considers things like making a good faith effort to comply to be important. 

Failure to implement sound advice is a signal to OCR that a covered entity or business associate is not taking privacy and security seriously.  Note that the medical center did not even bother to appeal. 

At Howard Burde Health Law, I advise innovative emerging health care companies on how to use the legal and economic environment to meet and overcome the challenges for sustainable market success.  You can reach me at or 610-616-3357.