By Elizabeth M. Dries, J.D.
The University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) when it failed to consistently encrypt its inventory of electronic devices containing electronic protected health information (ePHI), which allowed it to be disclosed. The Departmental Appeals Board (DAB) granted summary judgment to the HHS Office of Civil Rights (OCR) on all issues ruling that MD Anderson was obligated to encrypt all its electronic devices and the ePHI at issue was not research and subject to HIPAA’s nondisclosure requirements. Furthermore, the DAB found the penalties reasonable in light of the offense (Director of the Office for Civil Rights v. The University of Texas MD Anderson Cancer Center, Docket No. C-17-854, Decision No. CR5111, June 1, 2018).
Breach and penalties. MD Anderson operates as both an academic institution and a cancer treatment and research center. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from an employee’s home and the loss of two unencrypted universal thumb drives, both of which contained ePHI for over 33,500 individuals. MD Anderson had formal encryption policies beginning in 2006 and had conducted risk analyses that found the lack of device level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an institutional wide solution to implement encryption of ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013. The OCR imposed civil money penalties on MD Anderson for each day of MD Anderson’s noncompliance with HIPAA and for each record of individuals that were breached totaling $4,348,000.
Obligation to implement solutions. On appeal, MD Anderson argued that the institution was under no obligation to encrypt its electronic devices under HIPAA and it did not commit an unlawful disclosure because there was no indication that the electronic information was viewed by anyone. It further argued the ePHI at issue was research and not subject to HIPAA’s nondisclosure requirements. In addition, the civil money penalties imposed were unreasonable. Both arguments were rejected by the DAB. While encryption is not a mechanism specifically dictated by the regulations, it was the mechanism that MD Anderson chose to protect its ePHI contained on portable devices. Once MD Anderson elected to use encryption it was obligated to implement it consistently. In addition, the DAB reasoned that lost information must not be viewed in order to be disclosed, but merely released. MD Anderson’s assertion that HIPPAA doesn’t apply because the ePHI contained in the lost and stolen devices was research information was also rejected as the lost information contained names, addresses, social security number, medical diagnoses and treatment plans of patients. The duration and amount of the penalties the OCR imposed was reasonable in light of the large number of individuals violated, the number of days the breach went on and the size of the institution.
Companies: The University of Texas MD Anderson Center
MainStory: TopStory ConfidentialityNews EHRNews HIPAANews
Interested in submitting an article?
Submit your information to us today!Learn More