August 18, 2019

August 16, 2019

Subscribe to Latest Legal News and Analysis

Administrative Law Judge Upholds $4.3 Million Fine Against Texas Treatment and Research Center for HIPAA Violations

An administrative law judge (ALJ) has ordered the University of Texas MD Anderson Cancer Center to pay $4.3 million in civil monetary penalties for HIPAA violations. In his summary judgment ruling, the ALJ upheld the civil monetary penalty imposed by the Office for Civil Rights (OCR). The ALJ determined that the OCR’s civil monetary penalty was appropriate to remedy MD Anderson’s failure to encrypt its laptops and USB thumb drives and its unlawful disclosure of the electronic protected health information (ePHI) of more than 33,500 individuals.

The OCR’s investigation of MD Anderson began after MD Anderson suffered three separate data breaches. Throughout 2012 and 2013, an unencrypted laptop that contained ePHI was stolen from the personal residence of an MD Anderson employee and two unencrypted USB thumb drives containing ePHI were lost.

An investigation of MD Anderson revealed that despite the fact that MD Anderson had written encryption policies and had conducted a risk analysis that concluded that the lack of device-level encryption posed a serious threat to the security of ePHI, MD Anderson failed to encrypt all of its electronic devices containing ePHI. When the OCR and MD Anderson were unable to reach a settlement agreement related to MD Anderson’s HIPAA violations, the agency imposed a civil monetary penalty based on the number of days of MD Anderson’s noncompliance with HIPAA and the number of individuals whose ePHI was breached.

In upholding the OCR’s civil monetary penalty, the ALJ rejected MD Anderson’s arguments that it did not violate HIPAA’s regulatory requirements. The ALJ concluded that MD Anderson “recognized a problem, consisting of the vulnerability of its ePHI to unauthorized disclosure including by loss or theft, devised a mechanism to protect ePHI that included encryption of devices, and failed to implement that mechanism.” The ALJ also rejected MD Anderson’s claims that the civil monetary penalty was unreasonable.

It is rare for a HIPAA settlement to come before an ALJ. Generally, OCR investigations result in the negotiation and execution of a resolution agreement between HHS and the covered entity or business associate. The ALJ’s ruling marks only the second summary judgment victory since the OCR began its HIPAA enforcement efforts in the early 2000s. The $4.3 million settlement is the fourth largest HIPAA settlement either awarded to the OCR by an ALJ or obtained through settlement for HIPAA violations.



About this Author

Laura D. Seng, Barnes Thornburg Law Firm, South Bend, Healthcare Attorney

Laura Seng is a partner in Barnes & Thornburg LLP’s South Bend, Indiana, office and is the chair of firm's national Healthcare Department. Ms. Seng concentrates her practice in regulatory compliance, transactional matters and medical-legal business issues for healthcare entities and individual providers. She is listed as a notable healthcare lawyer by Best Lawyers in America® and was recognized by her peers in Indiana Super Lawyers® as a “Rising Star” in healthcare law.  

Ms. Seng represents hospitals, physicians, multi-specialty clinics and healthcare...

Heather Delgado Healthcare Attorney

Healthcare providers depend upon Heather Delgado for her commitment to responsiveness and practical legal advice. Heather focuses on finding the right solution for her clients. She is valued for her ability to overcome the obstacles her clients face and for her skill in applying complex laws and regulations to their business practices.

Heather’s experience includes the representation of healthcare providers, including hospitals, health systems, specialty hospitals, ambulatory surgery centers, multi- and single-specialty medical practices, and a wide variety of healthcare entrepreneurs. During the past several years, Heather has devoted the majority of her time and effort to matters related to hospitals, health systems and group medical practices.

With experience that is both broad and deep, Heather represents healthcare entities in mergers and acquisitions, structuring joint ventures and setting up physician management companies. She negotiates and drafts business contracts, designs and implements compliance plans, provides legal opinions regarding tax-exempt status, and advises on fraud and abuse statutes.

In addition, Heather provides comprehensive legal advice regarding self-referral and Stark implications of hospital-physician relationships, drafts medical staff bylaws, reviews reimbursement related issues, and conducts internal audits and investigations. Moreover, she also drafts and implements HIPAA policies and audits and trains healthcare providers and nonprofit associations regarding HIPAA policies and procedures, as well as provides counsel on a broad range of business and legal issues.

Michael Grubbs, Barnes Thornburg Law Firm, Indianapolis, Healthcare Law Attorney

J. Michael Grubbs is a partner in the Healthcare Department. He serves as administrator of the department for the Indianapolis, Indiana office. His practice includes representation of healthcare providers before state and federal healthcare regulatory agencies and in related litigation matters. His work also includes resolution of reimbursement and regulatory compliance issues as well as structuring or restructuring ventures and transactions to avoid problems before they arise.

Prior to entering the practice of law in 1988, Mr. Grubbs worked in...

Erica Woebse, Barnes Thornburg Law Firm, Indianapolis, Cybersecurity and Health Care Law Attorney

Erica L. Woebse is an associate in Barnes & Thornburg’s Indianapolis office and a member of the firm’s Healthcare Department. Ms. Woebse provides organizational, contracting and strategic guidance to the firm’s healthcare clients.

Ms. Woebse counsels clients on compliance with federal and state healthcare laws and regulations. She assists clients with HIPAA compliance, including by drafting HIPAA policies and procedures; training privacy and security officers; and guiding clients through HIPAA breaches. Ms. Woebse also counsels clients on...

317-231-7838 Read more: