MD Anderson Cancer Center Fined $4.3M for HIPAA Violations
_{June 23, 2018}

This article below was written by Roxanne Nelson, BSN, RN June 21, 2018, in MD Anderson Cancer Center Fined $4.3M for HIPAA Violations – Medscape – Jun 21, 2018.

The University of Texas MD Anderson Cancer Center in Houston has been fined $4.3 million for violations of the Health Insurance Portability and Accountability Act (HIPAA).

The fine was levied against the center by the US Department of Health and Human Services (HHS) Office of Civil Rights (OCR) for three separate data breaches that go back to 2012 and 2013 when health records of more than 35,000 patients were lost.

During that time period, an unencrypted laptop was stolen from the home of an MD Anderson employee and two unencrypted USB thumb drives were lost, containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals.

According to HHS, the OCR investigation and MD Anderson’s own risk analyses found that the written encryption policies that were in place (dating back more than 10 years to 2006) and the lack of device-level encryption “posed a high risk to the security of ePHI.” But although these policies had been put in place, and health records were at risk, MD Anderson did not begin to fully implement encryption of ePHI until 2011.

However, even though the adoption of encryption had begun, the center apparently failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011, and January 25, 2013, the time period when patient health records were lost.

An HHS administrative law judge (ALJ) has now ruled that the cancer center violated HIPAA and has granted summary judgment to the OCR on all issues. MD Anderson is now required to pay $4,348,000 in civil money penalties to OCR. This is the second summary judgment victory in OCR’s history of HIPAA enforcement and the fourth-largest amount ever awarded to OCR by an ALJ or otherwise secured in a settlement for HIPAA violations.

“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino in a statement. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption when required to protect sensitive patient information.”

However, MD Anderson argued that it was under no obligation to encrypt these devices and that because the ePHI was solely for the purposes of “research,” it did not fall under HIPAA criteria. They further argued that the penalty was unreasonable. Each of these arguments was rejected by the ALJ, who stated that the center’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized but that it restated many times.”

MD Anderson is not the first facility to be fined for failing to encrypt its data.

Earlier this year, Fresenius Medical Care North America reached an agreement with OCR for $3.5 million to settle allegations of five separate HIPAA violations at various affiliated facilities. The OCR investigation disclosed that several of their facilities “failed to conduct thorough and accurate risk analyses of potential vulnerabilities” in relation to the confidentiality and availability of patient information and allowed “impermissible disclosure of ePHI through unauthorized access for purposes not permitted by HIPAA.”

In a statement to the Houston Chronicle, MD Anderson said that it was “disappointed by the ALJ’s ruling and…concerned that key exhibits and arguments were not considered.”

It went on to say that “In all three cases involving the loss or theft of devices reviewed by the Administrative Law Judge, there is no evidence any patient information was viewed or any harm to patients was caused.”

MD Anderson plans to appeal the ruling.