Employment Law

ALJ Upholds $4.3M HIPAA Penalty Against Cancer Center

An administrative law judge (ALJ) upheld the imposition of $4,348,000 in monetary penalties against The University of Texas MD Anderson Cancer Center under the Health Insurance Portability and Accountability Act (HIPAA).

Source: juststock / iStock / Getty

The U.S. Department of Health and Human Services (HHS) assessed the penalties against MD Anderson under HIPAA’s privacy and security rules after finding that the hospital had failed for years to address known risks to the electronic protected health information (e-PHI) on its laptops and other devices.

This is the second time an ALJ has upheld a penalty by HHS’ Office for Civil Rights (OCR), and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations, according to the agency.

“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” OCR Director Roger Severino said in a statement. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”

MD Anderson is both a degree-granting academic institution and a comprehensive cancer treatment and research center located at the Texas Medical Center in Houston. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from an employee’s residence and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted e-PHI of over 33,500 individuals, according to OCR’s account of events.

OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that its own risk analyses had found that the lack of device-level encryption posed a high risk to the security of e-PHI. Despite these policies and findings, MD Anderson did not begin to implement e-PHI encryption on an enterprisewide basis until 2011, and even then failed to encrypt its inventory of electronic devices containing e-PHI between March 24, 2011 and January 25, 2013, OCR alleged.

The ALJ agreed with OCR and upheld the penalties for each day of MD Anderson’s noncompliance with HIPAA and each record of individuals breached.

MD Anderson argued that it was not actually required to encrypt its devices. The ALJ acknowledged that HIPAA did not prescribe the use of specific mechanisms, but found that “whatever mechanisms an entity adopts must be effective,” and that MD Anderson failed to adopt an effective mechanism despite identifying the vulnerability as early as 2006.

The ALJ also rejected MD Anderson’s arguments that its loss of e-PHI was not actually a “disclosure,” that the data was exempt from HIPAA because it was for research, and that OCR’s penalties were excessive. “Respondent’s dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI, a risk that Respondent not only recognized but that it restated many times,” the ALJ concluded.

MD Anderson to Appeal

MD Anderson plans to appeal the ALJ’s ruling. “We are disappointed by the ALJ’s ruling, and we are concerned that key exhibits and arguments were not considered,” according to a statement released by the hospital. “Regardless of the ALJ’s decision, we hope this process brings transparency, accountability and consistency to [OCR’s] enforcement process.”

MD Anderson also defended its privacy practices. “Patient privacy is of extreme importance at The University of Texas MD Anderson Cancer Center, and substantial measures are in place to ensure the protection of private patient information,” the statement adds. “In all three cases involving the loss or theft of devices reviewed by the [ALJ], there is no evidence any patient information was viewed or any harm to patients was caused.”

David Slaughter David A. Slaughter, JD, is a Senior Legal Editor for BLR’s Thompson HR products, focusing on benefits compliance. Before coming to BLR, he served as editor of Thompson Information Services’ (TIS) HIPAA guides, along with other writing and editing duties related to TIS’ HR/benefits offerings. Mr. Slaughter received his law degree from the University of Virginia and his B.A. from Dartmouth College. He is an associate member of the Virginia State Bar.

Questions? Comments? Contact David at dslaughter@blr.com for more information on this topic.