March 31, 2020

March 31, 2020

Subscribe to Latest Legal News and Analysis

March 30, 2020

Subscribe to Latest Legal News and Analysis

March 29, 2020

Subscribe to Latest Legal News and Analysis

March 28, 2020

Subscribe to Latest Legal News and Analysis

$4 Million Judgment Awarded to Office for Civil Rights for HIPAA Violation

A U.S. Department of Health and Human Services (HHS) Administrative Law Judge (ALJ) has ruled that the University of Texas MD Anderson Cancer Center violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in its failure to encrypt its electronic devices and ordered MD Anderson to pay $4,348,000 in civil monetary penalties  to the Office for Civil Rights (OCR). This is the second summary judgment ordered in favor of the OCR in its history, and the fourth largest amount recovered by OCR for HIPAA violations.

 MD Anderson reported three separate data breaches to OCR between 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an employee and the loss of two unencrypted thumb drives containing the electronic protected health information (ePHI) of over 33,500 individuals.

Upon investigation, OCR determined that MD Anderson’s encryption policies were out of date or not current and that its risk analyses identified the lack of device-level encryption as a high-risk to the security of ePHI.  Additionally, MD Anderson did not adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and subsequently it failed to properly encrypt all electronic devices that contained ePHI between March 2011 and January 2013.

MD Anderson claimed that it was neither obligated to encrypt its devices nor subject to HIPAA’s nondisclosure requirements given that the ePHI at issue was for research.  The ALJ rejected these arguments wholesale and said that MD Anderson’s conduct “is shocking given the high risk to its patients […].”  Further information about the civil monetary penalties is available in the OCR’s Notice of Proposed Determination.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.


About this Author

Sumaya Noush, Drinker Biddle Law Firm, HealthCare Attorney

Sumaya Noush counsels health care clients on strategic and operational matters including transactions, corporate governance, and regulatory compliance. She helps her clients navigate the daily challenges of running their operations while identifying opportunities for growth in today’s rapidly evolving and highly competitive health care market.

Sumaya previously served as a law clerk for Drinker Biddle, an instructor at Yale’s Bioethics Institute where she taught a seminar on FDA law and medical ethics, and a Visiting Scholar at...