Children's Hospital Colorado Notice of Proposed Determination

U.S. Department of Health and Human Services
Office for Civil Rights
Rocky Mountain Region
1961 Stout Street Room 08-148
Denver, Colorado 80294
Voice - (303) 844-7915
TDD - (800) 537-7697
Fax - (303) 844-2025
http://www.hhs.gov/ocr

June 11, 2024

VIA PERSONAL SERVICE TO Registered Agent:
Susan Hallenberger
Children’s Hospital Colorado
13123 East 16thAvenue, B545
Aurora, Colorado 80045

VIA PERSONAL SERVICE TO Chief Executive Officer:
Jena Hausmann
Children’s Hospital Colorado
13123 East 16th Avenue
Aurora, Colorado 80045

VIA EMAIL TO Privacy Officer:
Janell Briggs
13123 East 16th Avenue
Aurora, Colorado 80045
Janell.Briggs@Childrenscolorado.org

VIA EMAIL TO Legal Counsel:
Iliana Peters Polsinelli
1401 Eye Street NW, Suite 800
Washington, D.C. 20005
ipeters@polsinelli.com

Re:  Children’s Hospital Colorado
OCR Transaction Numbers: 17-281691 and 20-389876

Notice of Proposed Determination

Dear  Susan Hallenberger:
Jena Hausmann:
Janell Briggs:
Iliana Peters:

Pursuant to the authority delegated by the Secretary of the U.S. Department of Health and Human Services (HHS) to the Office for Civil Rights (OCR), I am writing to inform you that OCR is proposing to impose a civil money penalty (CMP) of $548,265 against Children’s Hospital Colorado (CHC).

This proposed action is being taken under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), § 262(a), Public Law 104-191, 110 Stat. 1936, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, Public Law 111-5, Section 13410, codified at 42 United States Code (U.S.C.) § 1320d-5, at 45 Code of Federal Regulations (C.F.R.) Parts 160 and 164.

I. The Statutory Basis for the Proposed CMP

The Secretary of HHS is authorized to impose a CMP (subject to the limitations set forth at 42 U.S.C. § 1320d-5(b)) against any covered entity, as described at 42 U.S.C. § 1320d-1(a), that violates a provision of Part C (HIPAA Administrative Simplification) of Title XI of the Social Security Act. See HIPAA, § 262(a), as amended, 42 U.S.C. § 1320d-5(a). This authority includes imposing CMPs for violations of the applicable provisions of the Federal Standards for Privacy of Individually Identifiable Health Information and the Security Standards for the Protection of Electronic Protected Health Information (45 Code of Federal Regulations (C.F.R.) Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules), and the Breach Notification Rule (45 C.F.R. Parts 160 and 164, Subpart D) (the HIPAA Rules). The Secretary has delegated enforcement responsibility for the HIPAA Rules to the Director of OCR. See 65 Federal Register (Fed. Reg.) 82381 (Dec. 28, 2000) and 74 Fed. Reg. 38630 (July 27, 2009). OCR is authorized under the HITECH Act § 13410, 42 U.S.C. § 1320d-5(a)(3),1 to impose CMPs for violations occurring on or after February 18, 20092, of:

  • A minimum of $100 for each violation where the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such provision, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
  • A minimum of $1,000 for each violation due to reasonable cause and not to willful neglect, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated a HIPAA Administrative Simplification provision, but in which the covered entity or business associate did not act with willful neglect.
  • A minimum of $10,000 for each violation due to willful neglect and corrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
  • A minimum of $50,000 for each violation due to willful neglect and uncorrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.

As required by law, OCR has adjusted the CMP ranges for each penalty tier for inflation.3

OCR is precluded from imposing a CMP unless the action is commenced within six years from the date of the violation.4

II. Findings of Fact

  1. Children’s Hospital Colorado Health System is the sole-corporate member of CHC. CHC is a large, not-for-profit corporation that provides a wide range of health care services primarily for children and young individuals. Including its primary location in Aurora, Colorado, CHC has 22 facilities located throughout the Anschutz Medical Campus and the State of Colorado and has nearly 2,000 pediatric specialists and more than 5,000 full-time workforce members.
  2. CHC is a “covered entity” within the meaning of 45 C.F.R. § 160.103, and, as such, is required to comply with the HIPAA Rules.
  3. CHC is a health care provider that transmits protected health information (PHI) in electronic form in connection with transactions for which HHS has adopted standards.
  4. On September 8, 2017, CHC reported to OCR that it experienced a security incident involving a breach of PHI that occurred on July 11, 2017 (the 2017 Breach), when a physician’s CHC email account containing the PHI of 3,370 children was compromised.
  5. It was determined that the unauthorized access occurred because CHC’s information technology help desk had previously disabled the two-factor authentication technical control for this physician’s email account and failed to reactivate it.
  6. On September 29, 2017, OCR initiated an investigation of CHC’s compliance with certain provisions of the HIPAA Rules5
  7. CHC experienced another breach of PHI from April 6 to April 13, 2020 (the 2020 Breach).
  8. CHC reported the 2020 Breach to OCR on July 27, 2020, and explained that an unauthorized third party accessed three workforce members’ CHC email accounts which contained PHI for 10,840 individuals.
  9. By letter dated, October 9, 2020, OCR notified CHC that, based on the 2020 Breach, OCR was conducting an additional investigation of CHC’s compliance with certain provisions of the HIPAA Rules.6
  10. A covered entity may not use or disclose PHI except as permitted or required by the Privacy Rule.7
  11. The HIPAA Rules defines “disclosure” to mean “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.”8
  12. CHC reported that an unauthorized third party with a German IP address logged into a CHC’s workforce member’s email account on April 6, 2020, and again on April 12 and April 13, 2020.
  13. CHC reported that two additional CHC workforce members’ email accounts were compromised when an unauthorized third party, associated with a U.S. IP address, repeatedly logged into their email accounts during the period of April 6, 2020, through April 12, 2020.
  14. CHC reported that the unauthorized third parties did not need to use technical means to by-pass multifactor authentication on the three accounts. Specifically, two of the workforce members gave permission to the unknown third parties to access their email accounts by accepting a multi-factor authentication access request that neither had initiated.
  15. The CHC workforce members’ email accounts contained patient PHI including, names, dates of services, medical record numbers, zip codes, medical diagnoses, social security numbers, and driver’s license numbers.
  16. The 2020 breach resulted in the impermissible disclosure of 10,840 individuals’ PHI to unauthorized third parties.
  17. The Privacy Rule requires a covered entity to train all members of its workforce on its Privacy Rule and Breach Notification Rule policies and procedures with respect to PHI, as necessary and appropriate for the workforce members to carry out their functions within the covered entity. The covered entity must conduct such training within a reasonable amount of time after the person joins the covered entity’s workforce, and the covered entity must document the Privacy Rule training it provides to its workforce members.
  18. The HIPAA Rules defines “workforce” as “employees, volunteers, trainees, and other persons whose conduct in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”
  19. CHC enters into agreements with various nursing schools to provide clinical opportunities for nursing students. During the period March 1, 2018, through November 30, 2018, CHC had an “Agreement for Student Education” in effect with 26 universities and colleges
  20. Nursing students on clinical rotation at CHC facilities create and receive PHI through patient care and have access to medical and other records containing PHI that are maintained by CHC in its electronic health systems.
  21. The nursing school agreements provided that “[a]t the commencement of a Student’s placement the [CHC] contact person shall provide an orientation to Students regarding [CHC’s] administrative policies and standards including applicable confidentiality laws, rules, regulations, and procedures with respect to patient records.”
  22. The nursing school agreement that CHC had in place with Illinois State University specifically stipulated that a nursing “student is part of the Children’s Colorado’s ‘workforce’ as defined in HIPAA Privacy Regulations….”
  23. On April 29, 2019, CHC informed OCR that it did not provide Privacy Rule training to its nursing students.
  24. On May 14, 2019, CHC admitted “[t]he total number of workforce members for whom CHC did not provide HIPAA Privacy Rule [training] between January 1, 2013, and December 31, 2018, was 6,666” including 3,495 nursing students.
  25. CHC did not finalize its Privacy Rule training policy and procedure until September 30, 2018.
  26. OCR’s investigation determined that CHC came into compliance with 45 C.F.R. § 164.530(b) when it began training its nursing students and documenting such training on November 30, 2018.
  27. The Security Rule requires a covered entity to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (ePHI) held by the covered entity.9
  28. During OCR’s investigation, CHC submitted documentation of attempted Security Rule risk analyses.
  29. On June 19, 2018, OCR informed CHC that the analyses provided by CHC were insufficient under the Security Rule because they were not accurate and thorough. Specifically, OCR advised CHC that the risk analyses that it provided to OCR failed to meet the Security Rule risk analysis requirement because they did not account for all the locations and systems that created, received, maintained, and/or transmitted ePHI.
  30. On June 20, 2018, OCR provided CHC technical assistance on the Security Rule, including the risk analysis requirements of 45 C.F.R. § 164.308(a)(1)(ii)(A).
  31. In its May 28, 2021, response, CHC provided OCR the “Children’s Hospital Colorado 2020 Healthcare Enterprise Risk Assessment” that Tevora completed on its behalf (dated February 5, 2021). OCR concluded that this document is an adequate risk analysis.
  32. The evidence establishes that, until February 5, 2021, CHC failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI it held as required by 45 C.F.R. § 164.308(a)(1)(ii)(A).
  33. OCR officially notified CHC of the results of OCR’s investigations on June 23, 2023 and offered CHC the opportunity to resolve the matter informally.
  34. This matter did not resolve informally. Pursuant to 45 C.F.R. § 160.312(a)(3), OCR sent CHC a Letter of Opportunity (LOO) via email on October 13, 2023, and via certified mail on October 18, 2023.
  35. The LOO informed CHC that OCR’s investigations found preliminary indications of noncompliance with the Security Rule Risk Analysis requirement, 45 C.F.R. § 164.308(a)(1)(ii)(A), and the Privacy Rules use and disclosure standard 45 C.F.R. § 164.502(a), and the workforce training standard 45 C.F.R. § 164.530(b), and that this matter had not been resolved by informal means despite OCR’s attempts to do so.
  36. The LOO stated that pursuant to 45 C.F.R. § 160.312(a)(3), OCR was providing CHC with an opportunity to submit written evidence of mitigating factors under 45 C.F.R. § 160.408 or affirmative defenses under 45 C.F.R. § 160.410 for OCR’s consideration in making a determination of a CMP pursuant to 45 C.F.R. § 160.404. CHC was also advised that it could submit written evidence to support a waiver of a CMP for the indicated areas of noncompliance pursuant to 45 C.F.R. § 160.412. Each act of noncompliance under the Privacy and Security Rules was described in the letter.
  37. CHC responded to the LOO by letter dated November 8, 2023.
  38. OCR determined that the information and arguments included in CHC’s response to the LOO do not support any affirmative defenses pursuant to 45 C.F.R. § 160.410. See Section IV below.
  39. Pursuant to 45 C.F.R. § 160.408, OCR considered evidence of mitigating factors, including those asserted in CHC’s LOO response, and evidence of aggravating factors to determine the amount of the CMP. See Section V below.
  40. OCR determined that the information and arguments submitted by CHC do not support a waiver of the CMP pursuant to 45 C.F.R. § 160.412. See Section VI below.
  41. OCR determined that the information submitted by CHC with respect to Recognized Security Practices does not support a reduction in the proposed CMP amount pursuant to Public Law 116-3218. See Section VII below.
  42. On April 22, 2024, OCR obtained the authorization of the Attorney General of the United States prior to issuing this Notice of Proposed Determination to impose a CMP.

III. Basis for CMP

Based on the above findings of fact, OCR has determined that CHC is liable for the following violations of the HIPAA Rules and, therefore, is subject to a CMP. OCR has determined that the appropriate penalty tier for the below violations is Reasonable Cause.10

  1. CHC failed to train all members of its workforce until November 30, 2018, in violation of the Privacy Rule at 45 C.F.R. § 164.530(b).
  2. CHC impermissibly disclosed the PHI of 10,840 individuals to an unauthorized third party/ies between April 6 and 13, 2020, in violation of 45 C.F.R. § 164.502(a).
  3. CHC failed to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of CHC’s ePHI until at least February 4, 2021.

IV. No Affirmative Defenses

By its October 13, 2023 LOO, OCR offered CHC the opportunity to provide written evidence of affirmative defenses per 45 C.F.R. § 160.410. OCR determined that the information provided by CHC in its response letter to OCR dated November 8, 2023, did not provide a basis for an affirmative defense under 45 C.F.R. § 160.410.

V. Factors Considered in Determining the Amount of the CMP

In determining the CMP amount, OCR is required to consider certain factors listed in the regulation at 45 C.F.R. §160.408, which may be mitigating or aggravating as appropriate. OCR considered information collected during its investigations of CHC as well as CHC’s November 8, 2023 response to OCR’s LOO. OCR considered the following:

  1. 45 C.F.R. § 160.408(a) The nature and extent of the violation.

    While OCR’s investigation found multiple, longstanding proposed violations, OCR notes that the covered entity has taken action to resolve these multiple, longstanding proposed violations. OCR considered that two of the potential violations had a timeframe of noncompliance lasting more than a year. For example, OCR calculated noncompliance in performing a risk analysis from May 1, 2017, to February 4, 2021, nearly 4 years. CHC failed to meet its obligation to provide workforce training for 19 months—from May 1, 2017, to November 30, 2018. OCR acknowledges that CHC took some sufficient corrective actions, including in response to technical assistance provided by OCR during the investigation, to resolve the potential noncompliance during the pendency of OCR’s investigation. As such, OCR finds that because there are multiple potential longstanding violations lasting from 1 ½ years to 4 years, but CHC resolved these potential violations during the investigation, this is neither an aggravating nor a mitigating factor.
  2. 45 C.F.R. § 160.408(b) The nature and extent of the harm resulting from the violation. 

    OCR does not have any evidence of harm to any individuals resulting from these violations. However, as this good fortune cannot be attributed to any actions by CHC, OCR finds that this is
    neither an aggravating nor mitigating factor.
  3. 45 C.F.R. § 160.408(c) The history of prior compliance with the administrative simplification provisions, including violations, by the covered entity.

    OCR has not previously investigated CHC regarding its compliance with the HIPAA Rules. As such, OCR has no record of any previous matters involving this entity that would demonstrate whether the current violation is the same or similar to previous indications of noncompliance, whether and to what the extent the entity had attempted to correct previous indications of noncompliance, how the entity has responded to technical assistance from OCR provided in the context of a prior compliance effort, or how it responded to prior complaints.

    Ultimately, the lack of previous investigations of CHC is not evidence of compliance with the HIPAA Rules. This is evident from OCR’s investigative finding that CHC did not meet its compliance obligations under the Privacy and Security Rules for many years. However, in the context of this investigation, CHC responded to the technical assistance OCR provided by implementing a Privacy Rule training policy and procedure in September 2018.

    As such, OCR will apply this factor as neither mitigating nor aggravating.
  4. 45 C.F.R. § 160.408(d) The financial condition of the covered entity. 

    CHC is a large health care provider that served 283,989 unique patients across its system in 2021, and CHC’s annual net revenue regularly exceeds $36M. There is no evidence to suggest that CHC had financial difficulties that would affect its ability to comply with the requirements of HIPAA, such as costs associated with a HIPAA compliance program that would include workforce training, implementation of policies and procedures, minimum safeguards, etc., or that the imposition of a CMP would jeopardize the ability of CHC to continue to provide health care. The imposition of the maximum potential CMP ($548,265) will not affect its ability to provide services for its patient population.

    As such, OCR considers this to be neither a mitigating nor aggravating factor.
  5. 45 C.F.R. § 160.408(e) Such other matters as justice may require.

    Based on OCR’s consideration of the totality of the circumstances,
    OCR finds this is neither a mitigating nor aggravating factor.

VI. Waiver

By its October 13, 2023, LOO, OCR offered CHC the opportunity to provide written evidence supporting waiver of the proposed CMP amount. OCR determined that the information contained in CHC’s LOO response did not provide a basis for waiver, or partial waiver, of the proposed CMP amount pursuant to 45 C.F.R. § 160.412. CHC presented no evidence that payment of the penalty is excessive relative to the violations.

VII. Amount of CMP

  1. Amount of CMP Per Violation 

    OCR finds that CHC is liable for a CMP for each violation described in Section III:
    1. Training - 45 C.F.R. § 164.530(b): CMP of $100,000
      OCR’s investigation revealed that CHC had not been providing HIPAA training to all workforce members, specifically, graduate and undergraduate nursing students, which make up a substantial number of CHC’s workforce. While OCR has evidence that this requirement was not being fulfilled until December 2018, OCR’s statute of limitations prevents it from beginning calculations for this violation prior to 6 years of the NPD date. The penalty calculation ends on November 30, 2018, which is the day prior to CHC’s augmentation of its “Orientation and Training Handbook to Nursing Students” in December 2018. The appropriate penalty tier for this violation is Reasonable Cause, as follows:
      1. Calendar Year 2018: 172 days from June 11, 2018, to November 30, 2018, at $1,379 per day with an annual cap of $100,000
      2. Total CMP: $237,188, capped at $100,000
    2. Uses & Disclosures of PHI - 45 C.F.R. § 164.502(a): CMP of $100,000
      In July 2020, CHC reported to OCR that due to at least two providers’ authorization of fraudulent MFA pushes, it experienced a large breach in April 2020 when an unauthorized third party accessed three providers’ CHC email accounts which contained the demographic and clinical PHI of 10,840 individuals. The appropriate penalty tier for this violation is Reasonable Cause, as follows:
      1. Calendar Year 2020: 10,840 individuals at $1,379 per occurrence with an annual cap of $100,000
      2. Total CMP: $14,948,360, capped at $100,000
    3. Risk Analysis - 45 C.F.R. § 164.308(a)(1)(ii)(A): CMP of $348,265
      While OCR has evidence that CHC had not conducted a risk analysis that complies with the Security Rule years before 2018, OCR’s statute of limitations prevents it from beginning calculations for this violation prior to 6 years of the NPD date. OCR determined the CMP calculation for this violation should end on February 4, 2021, as this is the date that precedes the date of CHC’s sufficient risk analysis that Tevora conducted for CHC. The appropriate penalty tier for this violation is Reasonable Cause, as follows:
      1. Calendar Year 2018: 203 days from June 11, 2018, to December 31, 2018, at $1,379 per day = $279,937, with an annual cap of $100,000
      2. Calendar Year 2019: 365 days from January 1, 2019, to December 31, 2019, at $1,379 per day = $503,335, with an annual cap of $100,000
      3. Calendar Year 2020: 366 days from January 1, 2020, to December 31, 2020, at $1,379 per day = $504,714, with an annual cap of $100,000
      4. Calendar Year 2021: 35 days from January 1, 2021, to December 31, 2021, at $1,379 per day = $48,265
      5. Total uncapped CMP: $1,205,246, cumulative capped CMP: $348,265
  2. Total Amount of CMP

    The total CMP amount to be imposed on CHC with regard to the violations described is $548,265.

    As described in Section V. above, OCR did not identify any factors under
    160.408 that merit aggravating or mitigating the CMP.

    During its investigation, OCR provided opportunities for CHC to adequately demonstrate that it had Recognized Security Practices (RSPs) in place.11 CHC responded to OCR’s request on July 26, 2021, and August 27, 2021. Upon examination of the materials provided by CHC, OCR determined that CHC’s response did not adequately demonstrate that it had RSPs in place for the previous 12 months. OCR again requested evidence of RSP implementation on May 19, 2022. CHC referred OCR to the response it submitted to OCR on July 26, 2021, and August 27, 2021, without submitting any new information. Based on the materials submitted by CHC, OCR does not consider CHC to have substantially implemented RSPs in the last 12 months and therefore CHC does not qualify for mitigation of the potential civil money penalty amount. Further, CHC did not submit any new or additional RSP materials in its response to OCR’s LOO to justify mitigation or waiver of the CMP.

VIII. Right to a Hearing

CHC has the right to a hearing before an administrative law judge to challenge the proposed CMP. To request a hearing to challenge the proposed CMP, CHC must mail a request, via certified mail with return receipt requested, under the procedures set forth at 45 C.F.R. Part 160 within 90 days of your receipt of this letter. Such a request must: (1) clearly and directly admit, deny, or explain each of the findings of fact contained in this notice; and (2) state the circumstances or arguments that you allege constitute the grounds for any defense, and the factual and legal basis for opposing the proposed CMP. See 45 C.F.R. § 160.504(c). If you wish to request a hearing, you must submit your request to:

U.S. Department of Health & Human Services
Departmental Appeals Board, MS 6132
Civil Remedies Division
330 Independence Ave, SW
Cohen Building, Room G-644
Washington, D.C. 20201
Telephone: (202) 565-9462

Copy to:
Emily Crabbe, Senior Advisor
Office for Civil Rights
U. S. Department of Health and Human Services
200 Independence Avenue, SW
Suite 523E
Hubert H. Humphrey Building
Washington, D.C. 20201

A failure to request a hearing within 90 days permits the imposition of the proposed CMP without a right to a hearing under 45 C.F.R. § 160.504 or a right of appeal under 45 C.F.R. § 160.548. If you choose not to contest this proposed CMP, please submit a written statement accepting its imposition within 90 days of receipt of this notice.

If CHC does not request a hearing within 90 days, then OCR will notify CHC of the imposition of the CMP through a separate letter, including instructions on how to make payment, and the CMP will become final upon receipt of such notice.

If you have questions, you may contact Ms. Emily Crabbe, Senior Advisor for HIPDC Compliance and Enforcement, at (404) 562-7878 or via email at Emily.Crabbe@hhs.gov.

Sincerely,

/s/
Andrea Oliver
Regional Manager

Endnotes

1  The CMP reflects the penalty tiers described in the Notification of Enforcement Discretion. See 84 Fed. Reg. 18151 (Apr. 30, 2019).

2  For violations occurring on or after November 3, 2015, HHS may make annual adjustments to the CMP amounts pursuant to the Federal Civil Penalties Inflation Adjustment Act Improvement Act of 2015. The annual inflation amounts are found at 45 C.F.R. §102.3. For the most recent amounts, see 88 Fed Reg. 69531 (October 6, 2023).

3  See Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, Sec. 701 of Pub. Law 114-74. Current inflation amounts are available at 45 C.F.R. § 102.3.

4  See 42 U.S.C. § 1320a-7a(c)(1); 45 C.F.R. § 160.414.

5  OCR Transaction Number 17-281691.

6  OCR Transaction Number 20-389876.

7  45 C.F.R § 164.502(a).

8  45 C.F.R. § 160.103.

9  45 C.F.R. § 164.308(a)(1)(ii)(A).

10  Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect. 45 C.F.R. §160.401

11  Public Law 116-3218 requires that OCR consider RSPs that HIPAA covered entities adequately demonstrate had been in place for a period of not less than 12 months when determining a civil money penalty.

Content created by Office for Civil Rights (OCR)
Content last reviewed