MD Anderson slapped with $4.3M penalty for HIPAA violations

An HHS administrative law judge upheld an HHS Office for Civil Rights finding requiring the University of Texas MD Anderson Cancer Center in Houston to pay $4,348,000 in civil penalties for HIPAA violations related to the organization's encryption policies, HHS confirmed June 18.

Here are five things to know about the ruling:

1 MD Anderson was investigated after three data breach reports in 2012 and 2013. The reports involved the theft of an unencrypted laptop from an employee's residence and the loss of two unencrypted flash drives containing unencrypted electronic protected health information of more than 33,500 people.

2. The investigation found that although MD Anderson had encryption policies from as early as 2006, it did not adopt systemwide encryption of ePHI until 2011. The OCR said MD Anderson also failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011, and January 25, 2013.

3. In response to the findings, MD Anderson said it was not obligated to encrypt its devices, in part because the ePHI in question was for research, and thus not subject to HIPAA's nondisclosure requirements. MD Anderson also argued HIPAA's penalties were unreasonable.

"Patient privacy is of extreme importance at The University of Texas MD Anderson Cancer Center, and substantial measures are in place to ensure the protection of private patient information," an MD Anderson spokesperson emailed Becker's Hospital Review June 19. "In all three cases involving the loss or theft of devices reviewed by the administrative law judge, there is no evidence any patient information was viewed or any harm to patients was caused."

4. However, the administrative law judge agreed with the arguments and findings of the OCR and upheld its determination of $4,348,000 in penalties, based on each day of MD Anderson's noncompliance with HIPAA and for each record of individuals breached. The judge said MD Anderson's "dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI."

"OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations," OCR Director Roger Severino, said in a June 18 statement. "We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information."

5. MD Anderson said it plans to appeal the administrative law judge's ruling.

"We are disappointed by the ALJ's ruling, and we are concerned that key exhibits and arguments were not considered," a health system spokesperson wrote. "Regardless of the ALJ's decision, we hope this process brings transparency, accountability and consistency to the Office for Civil Rights' enforcement process."

More articles on cybersecurity:
30% of clinicians receive daily texts with PHI, survey finds
One-third of healthcare CIOs 'still on the journey' to comply with GDPR privacy rules
Congressional leaders to HHS: It's unclear if troubled cybersecurity center 'still exists'

© Copyright ASC COMMUNICATIONS 2018. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months