Provided by: Jennifer Kirschenbaum, Esq.
July 17, 2018
The University of Texas MD Anderson Cancer Center (MD Anderson) was found to have violated the HIPAA's Privacy and Security Rules and required to pay $4,348,000 in civil money penalties to OCR by a Houston Administrative Law Judge. MD Anderson is a training institution and cancer treatment and research center in Houston.
As per the OCR Press Release (https://www.hhs.gov/about/news/2018/06/18/judge-rules-in-favor-of-ocr-and-requires-texas-cancer-center-to-pay-4.3-million-in-penalties-for-hipaa-violations.html), "MD Anderson allegedly had stolen an unencrypted laptop from the residence of an MD Anderson employee and lost two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals." The crux of the judge's ruling - MD Anderson had encryption policies and then didn't follow them.
MD Anderson claimed "that it was not obligated to encrypt its devices, and asserted that the ePHI at issue was for “research,” and thus was not subject to HIPAA’s nondisclosure requirements. MD Anderson further argued that HIPAA’s penalties were unreasonable. The ALJ rejected each of these arguments and stated that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”" Id.
The lesson(s) from the recent decision - (As from OCR) - "OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino." Apart from OCR's newfound aggression, it is important to see that exposure may come from places you didn't think of or may not have much control. If an employee has access to PHI outside of the workplace, that person should have to sign out that equipment or sign off on taking personal responsibility. The other lesson - if you have a policy, follow it. Here, MD Anderson did not follow its own encryption policy, which likely required all devices be locked, password protected and with remote reset or sweep, as available.
For assistance creating proper and practical policies and employee protections, email Jennifer or Taryn for a time to discuss.