HHS administrative judge upholds $4.35M fine for MD Anderson
Three separate data beaches in 2012 and 2013 at MD Anderson Cancer Center have resulted in the organization receiving one of the toughest penalties for violation of the HIPAA privacy and security rules.
An administrative law judge from the Department of Health and Human Services has affirmed a ruling that the organization violated HIPAA regulations and has granted summary judgment to the HHS Office for Civil Rights on all issues. This includes requiring MD Anderson pay $4.35 million in civil money penalties to the HHS Office for Civil Rights.
“This is the second summary judgement victory in OCR’s history of HIPAA enforcement, and the $4.3 million is the fourth largest amount ever awarded to OCR by an administrative law judge or secured in a settlement for HIPAA violation,” OCR notes in the announcement of sanctions.
The three breaches involved theft of an unencrypted laptop and loss of two unencrypted USB thumb drives containing protected health information on more than 33,500 individuals.
OCR determined that MD Anderson had written encryption policies going as far back as 2006, and its own risk analyses had found that lack of device-level encryption posed a high risk. Still, the organization did not begin to adopt enterprisewide encryption of electronic protected health information until 2011, and it did not encrypt its inventory of electronic devices holding ePHI between March 24, 2011, and Jan. 25, 2013.
MD Anderson contended it was not obligated to encrypt devices and asserted that the ePHI at issue was for research and not subject to HIPAA’s nondisclosure requirements. The organization further argued that HIPAA penalties were unreasonable.
The administrative law judge rejected the arguments and said that the organization’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” and a risk that MD Anderson “not only recognized but that it restated many times.”
The notice of proposed determination and the administrative law judge’s decision are available here. MD Anderson issued the following statement to Health Data Management:
"Patient privacy is of extreme importance at The University of Texas MD Anderson Cancer Center, and substantial measures are in place to ensure the protection of private patient information. In all three cases involving the loss or theft of devices reviewed by the Administrative Law Judge (ALJ), there is no evidence any patient information was viewed or any harm to patients was caused.
"We are disappointed by the ALJ’s ruling, and we are concerned that key exhibits and arguments were not considered. MD Anderson plans to appeal the ruling, which will result in a full review of all of the arguments and evidence. Regardless of the ALJ’s decision, we hope this process brings transparency, accountability and consistency to the Office for Civil Rights’ enforcement process.
"MD Anderson remains committed to patient privacy, and we will continue our efforts to remain an industry leader in safely protecting patient information."