A U.S. Department of Health and Human Services (HHS) Administrative Law Judge (ALJ) has ruled that the University of Texas MD Anderson Cancer Center violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in its failure to encrypt its electronic devices and ordered MD Anderson to pay $4,348,000 in civil monetary penalties  to the Office for Civil Rights (OCR). This is the second summary judgment ordered in favor of the OCR in its history, and the fourth largest amount recovered by OCR for HIPAA violations.

 MD Anderson reported three separate data breaches to OCR between 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an employee and the loss of two unencrypted thumb drives containing the electronic protected health information (ePHI) of over 33,500 individuals.

Upon investigation, OCR determined that MD Anderson’s encryption policies were out of date or not current and that its risk analyses identified the lack of device-level encryption as a high-risk to the security of ePHI.  Additionally, MD Anderson did not adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and subsequently it failed to properly encrypt all electronic devices that contained ePHI between March 2011 and January 2013.

MD Anderson claimed that it was neither obligated to encrypt its devices nor subject to HIPAA’s nondisclosure requirements given that the ePHI at issue was for research.  The ALJ rejected these arguments wholesale and said that MD Anderson’s conduct “is shocking given the high risk to its patients […].”  Further information about the civil monetary penalties is available in the OCR’s Notice of Proposed Determination.