It’s Happened Again! OCR Granted $4.3M Summary Judgment in HIPAA Enforcement Action
Recently, The University of Texas MD Anderson Cancer Center (MD Anderson) was fined $4.3 Million for HIPAA violations. Unlike many Office for Civil Rights (OCR) HIPAA enforcement actions that resulted in a settlement agreement, this case was not informally resolved and resulted in an Administrative Law Judge (ALJ) requiring MD Anderson to pay civil monetary penalties. This is only the second time that OCR has imposed civil monetary penalties on a covered entity, and the action represents the fourth largest amount ever awarded to OCR.
OCR opened an investigation into MD Anderson following three (3) breach reports from 2012 and 2013 involving theft of an unencrypted laptop and the loss of two (2) unencrypted USB thumb drives containing the electronic protected health information (ePHI) of over 33,500 individuals. The investigation revealed that MD Anderson identified encryption as a high risk to the security of ePHI, but failed to roll out enterprise-wide encryption to all electronic devices. OCR attempted to reach a resolution by informal means and provided MD Anderson an opportunity to submit evidence of mitigating factors or affirmative defenses. In response, MD Anderson argued that the ePHI at issue was for research purposes and not subject to HIPAA’s non-disclosure requirements. MD Anderson also argued that OCR’s penalties were unreasonable. OCR, and ultimately the ALJ, rejected MD Anderson’s arguments and required MD Anderson to pay the civil monetary penalties.
The $4.3 Million penalty consisted of two parts – (1) a $2,000 per day penalty for failure to encrypt the electronic devices (for a total of $1,348,000); and (2) a $1,000 per violation penalty for the impermissible disclosure of each affected individual’s records – capped at $1.5 Million per year (for a total of $3,000,000).
The MD Anderson case involved clinical research data – and the case serves as a reminder to organizations that there is a regulatory mechanism to segregate research functions from clinical functions (here, it appears MD Anderson did not undergo and implement a “hybrid” entity analysis). The enforcement action also serves as yet another reminder that covered entities and business associates must implement effective safeguards, including encryption, to protect ePHI. With the ever-growing number of electronic devices that contain PHI, it is imperative that covered entities and business associates know where ePHI resides and that such devices are included in the organization’s security risk analysis and data security implementation plans.
This recent high-dollar enforcement action will no doubt catch the attention of health care executives and data privacy and security personnel. It is yet another example of OCR’s continued efforts to actively enforce the HIPAA Privacy and Security Rule regulations and shows, according to OCR’s press release that “OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations.”