University Of Texas MD Anderson Cancer Center Must Pay More Than $4.3 Million For HIPAA Violations

Posted by donna@healthlawcenterplc.com in Jun, 2018

An Administrative Law Judge (ALJ) ruled that MD Anderson Cancer Center must pay more than $4.3 million in civil monetary penalties for violating HIPAA Privacy and Security Rules. The ruling is based on three separate data breaches in 2012 and 2013 that involved the theft of an unencrypted laptop from a MD Anderson physician’s home and the loss of two unencrypted thumb drives. These three breaches affected approximately 34,000 individuals.

MD Anderson had encryption polices and had conducted a risk analysis, which indicated that it lacked device-level encryption. The Administrative law Judge found that MD Anderson had not adopted an organizational wide solution to implement encryption of electronic protected health information (ePHI) until 2011, and also failed to encrypt inventory of electronic devices between March 2011 and January 2013. The ALJ noted that MD Anderson “made only half-hearted and incomplete efforts at encryption over the ensuring years. Despite identifying the risk of and dangers related to confidential data loss and deciding on encryption of devices as a means of protecting such data, MD Anderson delayed encryption of laptop devices for years and then, proceeded with encryption at a snail’s pace.”

The ALJ acknowledged in while HIPAA regulations allow considerable flexibility in how to safeguard ePHI, which doesn’t specifically require encryption. The ALJ went on to comment that “the bottom line is that whatever mechanisms an entity adopts, it must be effective. MD Anderson decided to use encryption to protect its ePHI, but failed to do so effectively.”

Practice Tip – If a Covered Entity chooses to implement an action or policy that is discretionary under HIPAA, it is imperative that such action or policy is comprehensive and well thought out. To do otherwise could result in a similar violation of HIPAA. If you are not sure of your obligations under the HIPAA Privacy and Security Rules or need to have a risk analysis conducted, contact The Health Law Center, PLC to discuss your needs.