An administrative law judge (ALJ) has ordered the University of Texas MD Anderson Cancer Center to pay $4.3 million in civil monetary penalties for HIPAA violations. In his summary judgment ruling, the ALJ upheld the civil monetary penalty imposed by the Office for Civil Rights (OCR). The ALJ determined that the OCR’s civil monetary penalty was appropriate to remedy MD Anderson’s failure to encrypt its laptops and USB thumb drives and its unlawful disclosure of the electronic protected health information (ePHI) of more than 33,500 individuals.
The OCR’s investigation of MD Anderson began after MD Anderson suffered three separate data breaches. Throughout 2012 and 2013, an unencrypted laptop that contained ePHI was stolen from the personal residence of an MD Anderson employee and two unencrypted USB thumb drives containing ePHI were lost.
An investigation of MD Anderson revealed that despite the fact that MD Anderson had written encryption policies and had conducted a risk analysis that concluded that the lack of device-level encryption posed a serious threat to the security of ePHI, MD Anderson failed to encrypt all of its electronic devices containing ePHI. When the OCR and MD Anderson were unable to reach a settlement agreement related to MD Anderson’s HIPAA violations, the agency imposed a civil monetary penalty based on the number of days of MD Anderson’s noncompliance with HIPAA and the number of individuals whose ePHI was breached.
In upholding the OCR’s civil monetary penalty, the ALJ rejected MD Anderson’s arguments that it did not violate HIPAA’s regulatory requirements. The ALJ concluded that MD Anderson “recognized a problem, consisting of the vulnerability of its ePHI to unauthorized disclosure including by loss or theft, devised a mechanism to protect ePHI that included encryption of devices, and failed to implement that mechanism.” The ALJ also rejected MD Anderson’s claims that the civil monetary penalty was unreasonable.
It is rare for a HIPAA settlement to come before an ALJ. Generally, OCR investigations result in the negotiation and execution of a resolution agreement between HHS and the covered entity or business associate. The ALJ’s ruling marks only the second summary judgment victory since the OCR began its HIPAA enforcement efforts in the early 2000s. The $4.3 million settlement is the fourth largest HIPAA settlement either awarded to the OCR by an ALJ or obtained through settlement for HIPAA violations.
For more information, please contact the Barnes & Thornburg LLP attorney with whom you work or Laura Seng at 574-237-1129 or laura.seng@btlaw.com; Heather Delgado at 312-338-5905 or heather.delgado@btlaw.com; Mike Grubbs at 317-231-7224 or michael.grubbs@btlaw.com; or Erica Woebse at 317-231-7838 or erica.woebse@btlaw.com.
© 2018 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is proprietary and the property of Barnes & Thornburg LLP. It may not be reproduced, in any form, without the express written consent of Barnes & Thornburg LLP.
This Barnes & Thornburg LLP publication should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own lawyer on any specific legal questions you may have concerning your situation.