On June 18, 2018, HHS announced that a $4,348,000 penalty against The University of Texas MD Anderson Cancer Center (MD Anderson) was affirmed by an administrative law judge (ALJ). The penalty resulted from HIPAA privacy and security rule violations and represents the fourth largest amount awarded to OCR for a HIPAA violation.
As background, HHS’s Office for Civil Rights (OCR) is responsible for HIPAA enforcement and investigated MD Anderson after three separate data breaches were reported in 2012 and 2013. One breach involved the theft of an unencrypted laptop from the residence of an MD Anderson employee and the other two involved the loss of unencrypted universal serial bus (USB) thumb drives containing electronic protected health information (ePHI) of over 35,500 individuals.
OCR’s investigation into MD Anderson found that it was not following its own encryption policies and did not take action when an internal risk analysis discovered that the lack of device-level encryption posed a high risk to the security of ePHI. MD Anderson asserted three different claims as to why their breach was not an unauthorized disclosure. First, they argued that a disclosure had not occurred because there was no proof that a third party had received or viewed the PHI that was left on those devices. The ALJ rejected that argument as nothing in the HIPAA regulations requires that lost information must be viewed by unauthorized individuals in order to be disclosed. Instead, simply releasing PHI constitutes a disclosure for which OCR has the authority to impose a penalty.
Second, MD Anderson defended its actions by asserting that the obligation to encrypt did not exist, since the ePHI was being used for ‘research’ and was, therefore, not subject to HIPAA’s nondisclosure requirements. The ALJ rejected this argument because there is nothing in HIPAA that subjects that HIPAA rules do not apply to PHI that is disclosed in the course of research.
Third, MD Anderson claimed that the actions of employees were unsanctioned and the result of theft, and therefore their actions couldn’t be imputed to MD Anderson. However, the ALJ reasoned that HIPAA holds principals liable for the acts of their agents, including employees, when they act within the scope of their duties. In this case, the employees in question had access to the laptop and USB pursuant to their official capacity. So MD Anderson was not off the hook for the actions of its employees.
For employers, this decision is a great reminder that the OCR is pursuing HIPAA privacy violations, especially those issues related to risk management. Employers should conduct routine risk assessments and address any discovered vulnerabilities. When a company is investigated, the OCR will likely impose penalties if a company fails to implement effective safeguards, such as data encryption, as required to protect sensitive information.
ALJ decision »
HHS press release »