$4.3 Million in Sanction for HIPAA Violations
On June 1, a U.S. Administrative Law Judge granted summary judgment to the Office for Civil Rights (“OCR”), and ordered The University of Texas MD Anderson Cancer Center (“MD Anderson”) to pay $4,348,000 in civil penalties for HIPAA violations. According to the Department of Health and Human Services, this is the second summary judgment victory in OCR’s history of HIPAA enforcement and the fourth largest amount ever awarded to OCR by an Administrative Law Judge, or secured through settlement, for alleged HIPAA violations.
The OCR investigation into MD Anderson stemmed from three separate data breach reports in 2012 and 2013:
- The first incident involved the theft of an unencrypted laptop from the home of an MD Anderson physician and faculty member who uploaded electronic protected health information (“ePHI”) of 29,021 individuals onto a laptop purchased with MD Anderson funds that the physician used as a telework computer. The physician acknowledged the laptop was not encrypted or password protected and any family member could access the ePHI.
- The second incident involved the loss of an unencrypted USB drive thumb drive onto which a research lab summer intern uploaded excel spreadsheets containing ePHI of 2,264 individuals. The intern misplaced the drive on her way home from work.
- The third incident involved a physician’s loss of an unencrypted USB thumb drive onto which she uploaded ePHI of 3,598 individuals. The doctor reported she kept the thumb drive in a tray on her desk and last saw it before going away for Thanksgiving on November 27, 2013. When she returned to her office on December 2, 2013, the thumb drive was missing.
The OCR imposed penalties of:
- $2,000 per day for each day of MD Anderson’s failure to implement HIPAA-required policies and procedures for electronic information systems maintaining ePHI to limit access to only those persons or programs granted access; and,
- $1,500,000 per year for violations of HIPAA’s privacy rule for the years 2012 and 2013.
The Administrative Law Judge rejected MD Anderson’s arguments that it was not obligated to encrypt all devices, that the ePHI at issue was for research and not subject to HIPAA’s non-disclosure requirements, and that the penalties imposed were unreasonable.
The Administrative Law Judge characterized MD Anderson’s “dilatory conduct” as “shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.” Read a copy of the Decision here.
Key to the ruling was MD Anderson’s actual knowledge that ePHI should have been protected. MD Anderson had written encryption policies as early as 2006. Employees signed Acceptable Use Agreements and User Acknowledgements that referenced the need for encryption. Annual risk assessments performed in 2010-2011 identified encryption of confidential data on mobile media as a key risk area that was not mitigated. Despite this, MD Anderson did not adopt an enterprise-wide solution to implement encryption until 2011, and by January 2013, it had not encrypted its complete inventory of electronic devices containing ePHI.
The OCR’s Director, Roger Sevino, issued a statement, explaining “OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations. We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”
This ruling underscores the need to ensure appropriate policies are in place to encrypt ePHI and the devices on which it is stored and, more importantly, to ensure those policies are implemented. If you have questions about whether your organization’s policies are adequate or steps that should be taken to ensure compliance, please contact Jonathan Lax or Elaine Michaud.