Report on Patient Privacy 25, no. 2 (February, 2025)
The saga that led Children’s Hospital Colorado to accept a fine of more than $500,000 imposed by the HHS Office for Civil Rights (OCR) began on July 11, 2017, when a physician’s email account containing details on 3,300 children was hacked.
It ended last fall when the hospital capitulated after expending what officials described to RPP as “an excessive level of transparency, cooperation, time and resources for more than the past six years to no avail.” The fine was among nine enforcement actions Melanie Fontes Rainer announced prior to her resignation as OCR director preceding President Donald Trump’s Jan. 20 inauguration. These included three settlements with corrective action plans (CAPs) related to OCR’s Security Rule analysis initiative.[1]
Children’s could have paid a lower fine, officials said, by agreeing to the settlement OCR offered instead of a civil monetary penalty (CMP). But it nixed agreeing to implement a CAP that is a standard part of a settlement—a refusal that fits a recent pattern among OCR’s enforcement actions. Increasing numbers of covered entities (CEs) have been saying no to ever-broadening CAPs that impose requirements beyond simply correcting perceived deficiencies in their HIPAA compliance.
Also of note: although it tried to make the case, Children’s didn’t get a “discount” on the fine for having recognized security practices (RSPs) in place the 12 months prior to the end of the investigation. A 2021 law requires OCR to review RSPs and lower a financial penalty and lessen any other sanctions, such as those related to audits.
Unlike many reporting on OCR’s enforcement actions based solely on the agency’s news releases, RPP contacts organizations involved for comment. While some choose not to respond, those that do often share Children’s frustration with OCR, the investigative process they endured and the outcome.
From start to finish, Children’s has maintained that it did not violate HIPAA. In contrast, OCR said in a notice of proposed determination (NPD) that it found “multiple potential longstanding violations lasting from 1 ½ years to 4 years”; however, it acknowledged that the hospital “resolved these potential violations during the investigation.”[2] But as the fine shows, that didn’t let the hospital emerge from the investigation financially unscathed.
Specifically, OCR imposed a $548,265 fine for what it said were three violations, each incurring a daily fine—based on the reasonable cause category—of $1,379. Fines are subject to annual caps, although a bill introduced by Sen. Ron Wyden, D-Ore., in the last Congress and likely to surface again would remove them, meaning fines could potentially be unlimited.
In addition to email breaches, in poking around Children’s, OCR said it discovered failures to provide HIPAA training to nursing students and what it said was noncompliance with the requirement to conduct a security risk analysis.
As noted earlier, what initially got OCR’s attention was Children’s 2017 report that a physician’s email had been, in the agency’s words, “compromised.” The email account contained protected health information (PHI) for 3,370 children. The hospital—which OCR refers to as CHC—reported the breach on Sept. 8, 2017. OCR started an investigation three weeks later.
“It was determined that the unauthorized access occurred because CHC’s information technology help desk had previously disabled the two-factor authentication technical control for this physician’s email account and failed to reactivate it,” according to OCR’s June 11, 2024, NPD letter posted online. The letter doesn’t specify who made this determination.
The scope of OCR’s 2017 investigation isn’t clear, nor is whether any progress toward resolution was made from its initiation up to summer 2020. However, the proposed determination notes several developments that occurred in the early years.
For example, the hospital disclosed to OCR in 2019 that it had failed to provide Privacy Rule training to 6,666 members of its workforce, including 3,495 nursing students, from Jan. 1, 2013, to Dec. 31, 2018.
In June 2018, OCR informed Children’s that its risk analyses were “insufficient,” as “they were not accurate and thorough. Specifically, OCR advised CHC that the risk analyses…did not account for all the locations and systems that created, received, maintained, and/or transmitted” electronic PHI. At that time, OCR provided the hospital “technical assistance,” and subsequently concluded that a 2021 document was “an adequate risk analysis.”
Breaches Triggered Deeper Investigation
Three more email breaches occurred in April 2020, which Children’s reported to OCR on July 20, 2020; the PHI of 10,840 individuals was affected. Nearly three months later, OCR notified Children’s that it was “conducting an additional investigation of CHC’s compliance with certain provisions of the HIPAA Rules.”
The proposed notice provides more details about the 2020 email breaches, stating that Children’s “reported that an unauthorized third party with a German IP address logged into a CHC’s workforce member’s email account on April 6, 2020, and again on April 12 and April 13, 2020.” It also “reported that two additional CHC workforce members’ email accounts were compromised when an unauthorized third party, associated with a U.S. IP address, repeatedly logged into their email accounts during the period of April 6, 2020, through April 12, 2020.”
The hospital’s description indicates the intrusions resulted from successful phishing attacks, though the notice doesn’t use the word phishing. “CHC reported that the unauthorized third parties did not need to use technical means to by-pass multifactor authentication [MFA] on the three accounts. Specifically, two of the workforce members gave permission to the unknown third parties to access their email accounts by accepting a multi-factor authentication access request that neither had initiated,” according to the proposed determination.
OCR also noted the emails contained an expansive range of PHI—some of which organizations have been advised against collecting—such as Social Security and drivers’ license numbers. The emails also had patients’ names, dates of services, medical record numbers and diagnoses.
Caps, Statute of Limitations Invoked
In announcing the fine, Fontes Rainer mentioned phishing. “Email continues to be a very common way for cyberattackers to enter health information systems and jeopardized privacy and security,” Fontes Rainer said.[3] “Health care entities should identify potential risks and vulnerabilities to email accounts and train their workforce to protect health information in those accounts.”
The agency laid out the fines for what it said were the following violations:
-
Risk Analysis—45 C.F.R. § 164.308(a)(1)(ii)(A): CMP of $348,265. “While OCR has evidence that CHC had not conducted a risk analysis that complies with the Security Rule years before 2018, OCR’s statute of limitations prevents it from beginning calculations for this violation prior to 6 years of the NPD date. OCR determined the CMP calculation for this violation should end on February 4, 2021, as this is the date that precedes the date of CHC’s sufficient risk analysis that Tevora conducted for CHC.” The uncapped fine would have been $1,205,246.
-
Training—45 C.F.R. § 164.530(b): CMP of $100,000. “OCR’s investigation revealed that CHC had not been providing HIPAA training to all workforce members, specifically, graduate and undergraduate nursing students, which make up a substantial number of CHC’s workforce,” OCR said in the proposed determination letter. “While OCR has evidence that this requirement was not being fulfilled until December 2018, OCR’s statute of limitations prevents it from beginning calculations for this violation prior to 6 years of the NPD date. The penalty calculation ends on November 30, 2018, which is the day prior to CHC’s augmentation of its ‘Orientation and Training Handbook to Nursing Students’ in December 2018.” Without a cap, the fine would have been $237,188.
-
Uses and Disclosures of PHI—45 C.F.R. § 164.502(a): CMP of $100,000. “In July 2020, CHC reported to OCR that due to at least two providers’ authorization of fraudulent MFA pushes, it experienced a large breach in April 2020 when an unauthorized third party accessed three providers’ CHC email accounts which contained the demographic and clinical PHI of 10,840 individuals.” OCR’s fine of $1,379 per occurrence would have been $14,948,360 without the cap.
Reasonable cause is defined as an act or omission for which a CE or business associate knew, or by exercising reasonable diligence would have known, violated HIPAA and that the entity did not act with willful neglect.
Hospital: Fine Diverted Patient Care Funds
In addition to disputing that there were any HIPAA violations, hospital officials told RPP that they are “extremely disappointed in [OCR’s] final decision not to resolve this without penalties, despite our cooperation, transparency, and the lack of evidence showing any access to protected health information occurred.”
Officials added that “over the past six-plus years, we cooperated with and were transparent with OCR while they conducted an investigation about the breach.” The nonprofit also bemoaned the impact of the fine on its revenue.
“We regret that OCR’s decision will require us to reallocate funds to OCR that would otherwise be used for patient care, especially during these challenging financial times for hospitals and families seeking healthcare. That said, we will continue to prioritize top care to those entrusted to us during these difficult times,” the officials told RPP.
RPP asked Children’s why it didn’t settle and whether the decision had anything to do with implementing a CAP. “While OCR did offer an option with a lower fine, it was contingent on requirements that would require an unfeasible and unnecessary amount of time and resources on our behalf and would still come with a significant fine,” the statement said.
Essentially calling the proposed CAP requirements—which Children’s did not share with RPP—extraneous or wasted effort is in line with RPP’s review of other CAPs. For example, OCR required Cascade Eye and Skin Centers PC to develop a contingency plan and tune-up its breach notification policies and procedures, actions that don’t correspond to any “potential” HIPAA violations OCR identified.[4]
Cascade paid $250,000 to resolve OCR’s investigation, which officials also told RPP was triggered by an incident they said wasn’t a breach. Cascade was attacked in 2017 by ransomware and also spent years trying to resolve the allegations; like Children’s, Cascade also argued for a lesser fine.
Children’s and OCR negotiated the conclusion of the case for more than a year. OCR first notified the hospital in June 2023 of an “opportunity to resolve the matter informally,” which means a settlement agreement and CAP. OCR did not provide details about this offer.
Three months later, OCR took the next step—sending a “letter of opportunity” inviting the hospital to submit “written evidence of mitigating factors” or “affirmative defenses.” Children’s responded three weeks later, in November 2023. In April of last year, OCR obtained approval from the U.S. Attorney General to impose the $548,265 fine, which it communicated to Children’s in the agency’s June 11 proposed determination letter.
Tussle Over Mysterious RSPs
Apparently, years earlier, OCR told Children’s it was not going to get a discount for RSPs, a decision that followed a bit of a battle and that maintains the lack of transparency that has characterized the agency’s prior related actions.
At some point, OCR asked Children’s to share information about them. “CHC responded to OCR’s request on July 26, 2021, and August 27, 2021. Upon examination of the materials provided by CHC, OCR determined that CHC’s response did not adequately demonstrate that it had RSPs in place for the previous 12 months. OCR again requested evidence of RSP implementation on May 19, 2022. CHC referred OCR to the response it submitted to OCR on July 26, 2021, and August 27, 2021, without submitting any new information.”
In October, OCR fined Providence Medical Institute $240,000, which the agency said reflected a 20% discount for RSPs. In both cases, OCR provided no information about how OCR makes such a determination, which RSPs count or how much.
Despite a requirement in the law, a pledge to do so and requests from the American Hospital Association and others, OCR has never engaged in rulemaking nor provided explicit guidance about its use of RSPs, instead posting a video.
Children’s told OCR on Sept. 9, 2024, that it was done—it was “not contesting the imposition of a CMP,” and it did not request a hearing.
“After having already provided OCR with an excessive level of transparency, cooperation, time and resources for more than the past six years to no avail, we felt that the decision to accept this outcome would be the most prudent and in the best interest of our team and our patients,” the hospital told RPP.
But it added that patients need not be “concerned” about the incidents that led to the fine, “due to the fact there is no evidence that patients’ PHI was actually accessed, and given how long it has taken OCR to resolve this investigation.” Still, it offered an email address that patients could use if they have questions: privacy@childrenscolorado.org.
1 Jane Anderson, “OCR Requires Complete ePHI Asset Inventories in Risk Analysis CAPs,” Report on Patient Privacy 25, no. 2 (February 2025).
2 U.S. Department of Health and Human Services, Office for Civil Rights, “Children's Hospital Colorado Notice of Proposed Determination,” June 11, 2024, content last reviewed December 5, 2024, https://bit.ly/40IYGWu.
3 U.S. Department of Health and Human Services, Office for Civil Rights, “HHS Office for Civil Rights Imposes a $548,265 Penalty Against Children’s Hospital Colorado for HIPAA Privacy and Security Rules Violations,” news release, December 5, 2024, https://bit.ly/40SXHV7.
4 Theresa Defino, “Cascade’s CAP Has Breach Notification Focus, Frequent Reporting,” Report on Patient Privacy 24, no. 10 (October 2024), https://bit.ly/4hF4RBM.
[View source.]
