A Heath and Human Services administrative law judge has upheld a decision that the University of Texas MD Anderson Cancer Center broke HIPAA privacy and security rules and has to pay a $4.3 million fine, the agency said in a statement.
The win for the HHS Office for Civil Rights (OCR) is the second summary judgment victory in OCR's history of HIPAA enforcement, and the fourth largest amount ever awarded by an administrative law judge to OCR in a HIPAA-violation settlement.
“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”
MD Anderson was investigated after three data breaches in 2012 and 2013 involving a stolen, unencrypted laptop from an Anderson employee's home, as well as the loss of a pair of thumb-drives with records belonging to more than 33,000 people.
The investigators found that Anderson had written encryption policies going as far back as 2006 – and that the institution had itself discovered that its security was vulnerable due to a lack of device-level encryption – but that it was only by 2011 that it had moved toward an enterprise-wide encryption solution and “even then it failed to encrypt its inventory of electronic devices containing ePHI [electronic patient health information] between March 24, 2011 and January 25, 2013,” according to HHS.
The penalty covered the days of noncompliance with HIPAA by Anderson as well as for the individual records that were purloined.
MD Anderson had affirmed “it was not obligated to encrypt its devices, and asserted that the ePHI at issue was for 'research,' and thus was not subject to HIPAA’s nondisclosure requirements.”
It also claimed that the penalties were unreasonable.
Judge Steven T. Kessel dismissed both claims in his decision and noted that, “the penalties in this case are reasonable, given the gravity of respondent's noncompliance and the number of individuals potentially affected. What is most striking about this case is that respondent knew for more than five years that its patients' ePHI was vulnerable to loss and theft and yet, it consistently failed to implement the very measures that it had identified as being necessary to protect that information. Respondent's dilatory conduct is shocking, given the high risk to its patients resulting from unauthorized disclosure of ePHI, a risk that respondent not only recognized but that it restated many times.”
