Devine-Millimet - $4.3 Million in Sanction for HIPAA Violations

$4.3 Million in Sanction for HIPAA Violations

  • Tuesday, June 19, 2018

Print This Page Share

On June 1, a U.S. Administrative Law Judge granted summary judgment to the Office for Civil Rights (“OCR”), and ordered The University of Texas MD Anderson Cancer Center (“MD Anderson”) to pay $4,348,000 in civil penalties for HIPAA violations. According to the Department of Health and Human Services, this is the second summary judgment victory in OCR’s history of HIPAA enforcement and the fourth largest amount ever awarded to OCR by an Administrative Law Judge, or secured through settlement, for alleged HIPAA violations.

The OCR investigation into MD Anderson stemmed from three separate data breach reports in 2012 and 2013:

  • The first incident involved the theft of an unencrypted laptop from the home of an MD Anderson physician and faculty member who uploaded electronic protected health information (“ePHI”) of 29,021 individuals onto a laptop purchased with MD Anderson funds that the physician used as a telework computer. The physician acknowledged the laptop was not encrypted or password protected and any family member could access the ePHI. 
  • The second incident involved the loss of an unencrypted USB drive thumb drive onto which a research lab summer intern uploaded excel spreadsheets containing ePHI of 2,264 individuals. The intern misplaced the drive on her way home from work.
  • The third incident involved a physician’s loss of an unencrypted USB thumb drive onto which she uploaded ePHI of 3,598 individuals. The doctor reported she kept the thumb drive in a tray on her desk and last saw it before going away for Thanksgiving on November 27, 2013. When she returned to her office on December 2, 2013, the thumb drive was missing. 

The OCR imposed penalties of:

  • $2,000 per day for each day of MD Anderson’s failure to implement HIPAA-required policies and procedures for electronic information systems maintaining ePHI to limit access to only those persons or programs granted access; and,
  • $1,500,000 per year for violations of HIPAA’s privacy rule for the years 2012 and 2013.

The Administrative Law Judge rejected MD Anderson’s arguments that it was not obligated to encrypt all devices, that the ePHI at issue was for research and not subject to HIPAA’s non-disclosure requirements, and that the penalties imposed were unreasonable.   

The Administrative Law Judge characterized MD Anderson’s “dilatory conduct”  as “shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”  Read a copy of the Decision here.

Key to the ruling was MD Anderson’s actual knowledge that ePHI should have been protected.  MD Anderson had written encryption policies as early as 2006. Employees signed Acceptable Use Agreements and User Acknowledgements that referenced the need for encryption. Annual risk assessments performed in 2010-2011 identified encryption of confidential data on mobile media as a key risk area that was not mitigated. Despite this, MD Anderson did not adopt an enterprise-wide solution to implement encryption until 2011, and by January 2013, it had not encrypted its complete inventory of electronic devices containing ePHI.

The OCR’s Director, Roger Sevino, issued a statement, explaining “OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations. We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”

This ruling underscores the need to ensure appropriate policies are in place to encrypt ePHI and the devices on which it is stored and, more importantly, to ensure those policies are implemented. If you have questions about whether your organization’s policies are adequate or steps that should be taken to ensure compliance, please contact Jonathan Lax or Elaine Michaud.

Mark D. Attorri

Of Counsel

603-695-8525
Send an Email

David H. Barnes

Shareholder

603-695-8500
Send an Email

Steve Cohen

Shareholder

603-695-8504
Send an Email

Catherine B. Cosgrove

Of Counsel

603-695-8652
Send an Email

Robert E. Dunn, Jr.

Shareholder & Director of Legislative and Governmental Affairs

603-410-1704
Send an Email

Jonathan A. Lax

Of Counsel

603-695-8589
Send an Email

Renelle L. L'Huillier

Shareholder

603-410-1709
Send an Email

Patricia M. McGrath

Shareholder

603-695-8537
Send an Email

Elaine M. Michaud

Shareholder

603-695-8546
Send an Email

Pete Mosseau

Shareholder

603-695-8519
Send an Email

Margaret "Peg" O'Brien

Shareholder

603-695-8631
Send an Email

Charles R. Powell III

Shareholder

603-695-8736
Send an Email

Tom Quarles

Shareholder

603-695-8641
Send an Email

Teresa R. Rosenberger

President of Devine Strategies

603-410-1702
Send an Email

Anne G. Scheer

Of Counsel

603-410-1708
Send an Email

Jon B. Sparkman

Shareholder

603-695-8507
Send an Email

Jonathan A. Lax

Of Counsel

603-695-8589
Send an Email

Related Services