The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that they issued The University of Texas MD Anderson Cancer Center (MD Anderson) a $4.3 million Texas HIPAA violation fine for three different security breaches that occurred between 2012 and 2013.
In an uncharacteristic enforcement action, the case was put before the HHS Administrative Law Judge (ALJ). The ALJ ruled in favor of OCR, stating that MD Anderson did not comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), specifically violating the Privacy and Security Rules.
What Went Wrong
MD Anderson was brought up on three charges of data breaches and associated HIPAA violations within a single year. The first breach involved the theft of an unencrypted laptop from the residency of a MD Anderson employee. Subsequent breaches were caused by the loss of two unencrypted USB thumb drives that contained the electronic protected health information (ePHI) of over 33,500 individuals. ePHI is any demographic information that can be used to identify a patient, stored in electronic form.
OCR released a statement regarding the breaches, stating that “OCR’s investigation found that MD Anderson had written encryption policies as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI.”
OCR added: “Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and even then, it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011, and January 25, 2013.”
OCR also noted that the ALJ agreed with their arguments and findings and upheld OCR’s penalties for each day of MD Anderson’s noncompliance with HIPAA and for each individual whose record was breached.
OCR sent a letter to MD Anderson breaking down the violations that were uncovered and fines they were to receive. This landmark Texas HIPAA fine included a $1.3 million penalty for violations regarding unencrypted access controls and a $3 million penalty for impermissible disclosures of PHI.
This ruling is only the second summary judgement in OCR’s history of HIPAA enforcement, adding to the trend of uncharacteristic enforcement efforts levied since 2015. The $4.3 million fine is the fourth largest amount that OCR has been awarded by the ALJ or secured in a settlement since HIPAA enforcement began.
The ALJ’s ruling in favor of OCR included a statement, noting that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI.”
MD Anderson Responds
One of MD Anderson’s key points in the case was that they felt they were not obligated to encrypt their devices due to the fact that the ePHI was for research, so the breach should not violate HIPAA’s non-disclosure regulations. Unfortunately for MD Anderson, this argument did not hold up in court.
MD Anderson claimed that in all three security breaches, neither the theft nor loss of devices indicate that any patient information was viewed or that the breach brought harm to any of their clients.
After the ruling from the ALJ in favor of OCR, MD Anderson stated that it plans to appeal the outcome. “We are disappointed by the ALJ’s ruling, and we are concerned that key exhibits and arguments were not considered. MD Anderson plans to appeal the ruling, which will result in a full review of all of the arguments and evidence.”
Although MD Anderson deemed the Texas HIPAA fine unreasonable, they also stated that regardless of the decision, they “hope this process brings transparency, accountability and consistency to the OCR enforcement process.”
How This Situation Was Avoidable
MD Anderson’s attempt to beat an OCR compliance review, rather than ramp up their PHI safeguards, still resulted in an unfavorable ruling.
Their own risk analyses, over a number of years, showed that they were aware of the risks ahead. All HIPAA-beholden entities must comply with addressable HIPAA standards, such as encryption with documented policies and procedures. Incomplete implementation efforts and willful neglect of HIPAA regulation can put any organization in the same position as MD Anderson, leading to major HIPAA violations and HIPAA fines.
Compliancy Group gives healthcare professionals the ability to confidently address their HIPAA compliance. We help our users protect their business with ongoing support and education. Find out more about our all-in-one HIPAA compliance solution and simplify your compliance today!