- An HHS Administrative Law Judge (ALJ) ruled that the University of Texas MD Anderson Cancer Center (MD Anderson) must pay $4.3 million in civil money penalties for HIPAA violations.
The judge backed OCR in its proposed determination, granting summary judgment to OCR on all issues.
OCR accused MD Anderson of violating the HIPAA Privacy and Security Rules in failing to encrypt its inventory of devices that handled and held electronic protected health information (ePHI). This failure lead to the exposure of ePHI on more than 33,500 individuals when a laptop was stolen and two thumb drives were lost in 2012 and 2013.
HHS said in a June 18 release that this was the second summary judgment victory in OCR’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations.
OCR investigated MD Anderson following the three data breaches and found that it had encryption policies dating from 2006 and that its own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI.
However, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011, and January 25, 2013. The ALJ agreed with OCR’s arguments and findings and upheld OCR’s penalties for MD Anderson’s noncompliance with HIPAA and for each record breached.
MD Anderson argued that it was not obligated to encrypt its devices and asserted that the ePHI at issue was for “research” and thus was not subject to HIPAA’s nondisclosure requirements. MD Anderson further argued that HIPAA’s penalties were unreasonable.
The ALJ rejected these arguments.
“What is most striking about this case is that Respondent [MD Anderson] knew for more than five years that its patients’ ePHI was vulnerable to loss and theft and yet, it consistently failed to implement the very measures that it had identified as being necessary to protect that information. Respondent’s dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI, a risk that Respondent not only recognized, but that it restated many times,” the judge said in his decision.
MD Anderson is both a degree-granting academic institution and a cancer treatment and research center located at the Texas Medical Center in Houston. It operates six cancer treatment hospitals and two diagnostic imaging clinics in the Greater Houston area, including its Texas Medical Center location, the main hospital campus of MD Anderson.
“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino in a press release. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”
In its March 2017 notice of proposed determination, OCR noted that prior to the three breaches MD Anderson’s Information Security Program and Annual Reports for 2010-2011 identified encryption of confidential data on mobile media as a key risk area that was “currently not mitigated.”
In addition, MD Anderson’s Corporate Compliance Risk Analysis for fiscal year 2011 identified the following high-risk findings: “a) no enterprise-wide solution in effect for encryption of Institutional laptops and mobile computing devices; b) workforce members are downloading ePHI, confidential, and restricted confidential information and other sensitive data onto portable computing devices for use outside the Institution.”
OCR fined MD Anderson $1.3 million for the failure to encrypt all its devices holding ePHI and $3 million for the three data breaches.
In a statement emailed to HealthITSecurity.com, MD Anderson said it was "disappointed" by the judge's decision.
"In all three cases involving the loss or theft of devices reviewed by the Administrative Law Judge (ALJ), there is no evidence any patient information was viewed or any harm to patients was caused .. .We are concerned that key exhibits and arguments were not considered," the statement continued.
"MD Anderson remains committed to patient privacy, and we will continue our efforts to remain an industry leader in safely protecting patient information," it concluded.
MD Anderson said it plans to appeal the ALJ's ruling.