A hospital in Dallas was fined $3.2 million after it was determined that officials in the facility knowingly violated a HIPAA health data security rule for three years.

The Health and Human Services’ Office for Civil Rights announced the penalty after the Children’s Medical Center of Dallas declined to challenge the office’s findings, according to bna.com.

Typically healthcare facilities challenge the OCR’s ruling and enter into a settlement that involves a corrective action plan.

RELATED: UCLA Medical Center Investigating Breach of Kanye West’s Medical Records

Healthcare Attorney Arthur Fried said the corrective action plan, which typically involves a three-year period of federal oversight, may have played a role in the hospital’s decision.

“The hospital might have made the determination to pay the penalty and avoid the corrective action plan so as to avoid having the OCR breathing down their neck for several years,” Fried says.

The hospital had filed data breach reports with the OCR in 2010 and 2013 after a breach involving the loss of electronic devices containing protected health information. The OCR’s subsequent investigation, however, determined that hospital officials continued using unencrypted laptops and phones until 2013.

The hospital was told of the OCR’s findings in September but declined to challenge its decision within 90 days.

The OCR could have imposed a maximum penalty of $6 million on the hospital but instead chose the minimum amount because there was no evidence the breach affected anyone.

Acting OCR Director Robinsue Frohboese says the office prefers to settle cases but will give out penalties if violations are severe enough.

The final notice of determination says the hospital cooperated with the OCR throughout its investigation.

Read Next: Healthcare Network Settles With OCR for Breach of Notification Requirements

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Related Content