Judge upholds $4.3M HIPAA fine against MD Anderson

HIPAA document
An administrative law judge said OCR's fine was appropriate because MD Anderson failed to encrypt its devices despite knowing it was a security weakness. (Getty/designer491

An administrative law judge ruled the University of Texas MD Anderson Cancer Center must pay a $4.3 million penalty issued by the Department of Health and Human Services for HIPAA violations.

The three data breaches in question date back to 2012 and 2013, when an unencrypted laptop was stolen from an MD Anderson employee and two unencrypted USB thumb drives containing information of 33,500 patients were lost. An investigation by the HHS Office for Civil Rights found MD Anderson had written encryption policies dating back to 2006 and an internal risk analysis found a lack of encryption on hospital-owned devices posed a security risk.

Still, MD Anderson failed to encrypt its inventory of electronic devices, which prompted OCR to issue fines for each day of HIPAA noncompliance and for each record that was exposed. OCR issued the fine in March 2017, citing the provider’s “willful neglect” and enforcing the maximum available penalty.


2019 Drug Pricing and Reimbursement Stakeholder Summit

Given federal and state pricing requirements arising, press releases from industry leading pharma companies, and the new Drug Transparency Act, it is important to stay ahead of news headlines and anticipated requirements in order to hit company profit targets, maintain value to patients and promote strong, multi-beneficial relationships with manufacturers, providers, payers, and all other stakeholders within the pricing landscape. This conference will provide a platform to encourage a dialogue among such stakeholders in the pricing and reimbursement space so that they can receive a current state of the union regarding regulatory changes while providing actionable insights in anticipation of the future.

RELATED: Data breaches are drawing more scrutiny from both federal and state regulators

“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” OCR Director Roger Severino said in a statement. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”

In his judgment, the administrative law judge said the fines were warranted because MD Anderson “failed to adopt an effective mechanism” to protect patient data. He also rebuffed an argument by the provider that stolen information is only disclosed when it is viewed by a third party.

“The plain language of the regulation doesn't suggest that,” Steven T. Kessel wrote in his decision (PDF). “Moreover, to interpret the regulation so narrowly as Respondent suggests would render its prohibitions against unauthorized disclosure to be meaningless. If Respondent had its way, it and other covered entities could literally cast ePHI to the winds and be immune from penalty so long as OCR fails to prove that someone else received and viewed that information.”

Monday’s decision marks the second summary judgment victory in OCR’s history of HIPAA enforcement. It is the fourth-largest fine in OCR’s history.

In a statement to FierceHealthcare, MD Anderson said it plans to appeal the ruling.

"Patient privacy is of extreme importance at The University of Texas MD Anderson Cancer Center, and substantial measures are in place to ensure the protection of private patient information," a spokesperson said in a statement. "In all three cases involving the loss or theft of devices reviewed by the Administrative Law Judge (ALJ), there is no evidence any patient information was viewed or any harm to patients was caused.
"We are disappointed by the ALJ’s ruling, and we are concerned that key exhibits and arguments were not considered. MD Anderson plans to appeal the ruling, which will result in a full review of all of the arguments and evidence. Regardless of the ALJ’s decision, we hope this process brings transparency, accountability and consistency to the Office for Civil Rights’ enforcement process.
"MD Anderson remains committed to patient privacy, and we will continue our efforts to remain an industry leader in safely protecting patient information."

Editor's Note: This story has been updated to include a statement from MD Anderson. 

Suggested Articles

Policy changes are affecting how investors view the skilled home health market and paving the way for potential strategic acquisitions.

JLABS executive Kate Merton talks about the JLABS model and Johnson & Johnson’s interest in digital health.

One strategy to address cybersecurity with board leadership is to use the power of storytelling and narrative to make it real, according to a report.