MD Anderson Pays $4.3 Million HIPAA Fine
In a time when many scoff at the potential of being levied steep penalties for violation of HIPAA rules, a judge just upheld a fine that the Department of Health and Human Services (HHS) issued in 2017 for Texas-based MD Anderson’s use of unencrypted devices.
This penalty is stiff and says that you cannot just give HIPAA lip service and the rules carry the weight of hefty costs when ignored. It has taken a long time, since HIPAA was first implemented in 2006, to see these high penalties. HHS is finally saying that we have been warned, over and over again, and they mean business.
MD Anderson tried to argue in its appeal that the sum is excessive, but a Health and Human Services Administrative Law Judge (ALJ) agreed that the sum was appropriate, which must be paid to the HHS Office of Civil Rights (OCR).
This was the fourth-largest amount awarded to the OCR by an HHS ALJ and only the second time the OCR has won summary judgement in a HIPAA Proceeding, according to the HHS Statement.
Anderson’s HIPAA Breaches
The breaches occurred in 2012 and 2013 and were reported to OCR. They include:
- Unencrypted laptop stolen from a faculty member of MD Anderson. This was reported in May of 2012. The faculty member used the unencrypted laptop to work from home and it had been stolen. The device contained the electronic PHI of more than 29,000 people.
- Unencrypted thumb drive lost by a summer intern in the department of Stem Cell Transplantation and Cellular Therapy was reported misplaced in July 13, 2012. The device contained Microsoft Excel files with PHI of more than 2,200 people.
- Unencrypted thumb drive lost by a visiting researcher from Brazil, working in MD Anderson’s infectious disease department. The loss was notified on December 2, 2013. The device contained PHI on nearly 3,600 people.
One of the things that got MD Anderson in such deep trouble was its failure to implement its own standard operating procedures. The cancer center had decided to encrypt all of its devices, including laptops and USB drives in 2008. But it appears that the institution had yet to complete the project of encrypting all of the devices.