HIPAA Violation Results in $4.3M Fine for Cancer Center

If you haven’t taken stringent measures to protect patient privacy, this recent ruling from a U.S. Department of Health and Human Services Administrative Law Judge might spur you into action.

The ALJ ruled that University of Texas MD Anderson Cancer Center violated HIPAA Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) requiring the institution to pay $4.3 million in civil money penalties. This was just the second summary judgment victory in OCR’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations, according to OCR.

The ruling grew out of an investigation conducted by OCR following three separate data breach reports in 2012-13 involving the theft of an unencrypted laptop from the home of an MD Anderson employee, along with the loss of two unencrypted USB thumb drives that contained the personal health information of more than 33,500 patients.

Although the OCR investigation determined that MD Anderson had written encryption policies dating as far back as 2006, and that its own risk analyses found that the lack of device-level encryption posed a high risk to the security of protected patient data, MD Anderson did not start to adopt an enterprise-wide solution to implement encryption until 2011 and even then, didn’t encrypt its inventory of electronic devices until 2013.

“These facts establish that Petitioner… was not only aware of the need to encrypt devices in order to assure that confidential data including ePHI not be improperly disclosed, but it established a policy requiring the encryption and protection of devices containing ePHI,” the ALJ wrote. “However, and despite this awareness and its own policies, Petitioner made only half-hearted and incomplete efforts at encryption over the ensuing years. As a consequence, the theft of a laptop computer that was not encrypted and the loss of two unencrypted USB thumb drives resulted in the unlawful disclosure of ePHI relating to tens of thousands of Respondent’s patients,” he continued.

The ALJ went on to detail the policy that MD Anderson put into place and how the facility said it would go about implementing that policy. However, the ALJ noted that it delayed enforcement and when it finally start implementation it was “at a snail’s pace.”

MD Anderson argued that was not obligated to encrypt its devices and that the ePHI at issue was for “research,” and therefore was not subject to HIPAA’s nondisclosure requirements. It also argued that the recommended penalties are “unreasonable and contrary to that which is permitted by regulation.”

MD Anderson also argued that the material lost did not constitute a “disclosure” as defined by HIPAA because it did not release the information and that there was no proof that it was viewed by someone who was not authorized to do so.

The ALJ did not buy MD Anderson’s arguments saying the case wasn’t about wrongful taking but MD Anderson’s failure to protect patient information from disclosure, regardless of how it was obtained.

The penalties against MD Anderson break down like this: $2,000 a day for each day between March 24, 2011 and January 25, 2013 and $1,500 per year for the years 2012 and 2013.

Just before the ruling, MD Anderson faced yet another breach, which it posted to its website that reads, in part: “On May 3, 2018, an MD Anderson employee sent an email seeking to recruit people for a research study involving people with a history of colon cancer. The employee meant to send the email in a manner that hid the email addresses of the recipients, but accidentally made the email addresses visible to the others who received the email. We were able to stop delivery on some of the emails, but approximately 599 people still received it. These people may have seen the email addresses to which the email was sent and, if they were able to identity anyone from their email address, may have assumed the person was an MD Anderson patient and had a history of colon cancer.”

If you have any questions about HIPAA compliance or issues with OCR, feel free to contact us at 305-358-4500 or send us an email to info@vitalehealthlaw.com.

Material presented on the Health Law Offices of Anthony C. Vitale's website is intended for information purposes only.

It is not intended as professional advice and should not be construed as such.