April 26, 2019

April 25, 2019

Subscribe to Latest Legal News and Analysis

April 24, 2019

Subscribe to Latest Legal News and Analysis

April 23, 2019

Subscribe to Latest Legal News and Analysis

Administrative Law Judge Upholds $4.3 Million Fine Against Texas Treatment and Research Center for HIPAA Violations

An administrative law judge (ALJ) has ordered the University of Texas MD Anderson Cancer Center to pay $4.3 million in civil monetary penalties for HIPAA violations. In his summary judgment ruling, the ALJ upheld the civil monetary penalty imposed by the Office for Civil Rights (OCR). The ALJ determined that the OCR’s civil monetary penalty was appropriate to remedy MD Anderson’s failure to encrypt its laptops and USB thumb drives and its unlawful disclosure of the electronic protected health information (ePHI) of more than 33,500 individuals.

The OCR’s investigation of MD Anderson began after MD Anderson suffered three separate data breaches. Throughout 2012 and 2013, an unencrypted laptop that contained ePHI was stolen from the personal residence of an MD Anderson employee and two unencrypted USB thumb drives containing ePHI were lost.

An investigation of MD Anderson revealed that despite the fact that MD Anderson had written encryption policies and had conducted a risk analysis that concluded that the lack of device-level encryption posed a serious threat to the security of ePHI, MD Anderson failed to encrypt all of its electronic devices containing ePHI. When the OCR and MD Anderson were unable to reach a settlement agreement related to MD Anderson’s HIPAA violations, the agency imposed a civil monetary penalty based on the number of days of MD Anderson’s noncompliance with HIPAA and the number of individuals whose ePHI was breached.

In upholding the OCR’s civil monetary penalty, the ALJ rejected MD Anderson’s arguments that it did not violate HIPAA’s regulatory requirements. The ALJ concluded that MD Anderson “recognized a problem, consisting of the vulnerability of its ePHI to unauthorized disclosure including by loss or theft, devised a mechanism to protect ePHI that included encryption of devices, and failed to implement that mechanism.” The ALJ also rejected MD Anderson’s claims that the civil monetary penalty was unreasonable.

It is rare for a HIPAA settlement to come before an ALJ. Generally, OCR investigations result in the negotiation and execution of a resolution agreement between HHS and the covered entity or business associate. The ALJ’s ruling marks only the second summary judgment victory since the OCR began its HIPAA enforcement efforts in the early 2000s. The $4.3 million settlement is the fourth largest HIPAA settlement either awarded to the OCR by an ALJ or obtained through settlement for HIPAA violations.

© 2019 BARNES & THORNBURG LLP

TRENDING LEGAL ANALYSIS


About this Author

Laura D. Seng, Barnes Thornburg Law Firm, South Bend, Healthcare Attorney
Partner

Laura Seng is a partner in Barnes & Thornburg LLP’s South Bend, Indiana, office and is the chair of firm's national Healthcare Department. Ms. Seng concentrates her practice in regulatory compliance, transactional matters and medical-legal business issues for healthcare entities and individual providers. She is listed as a notable healthcare lawyer by Best Lawyers in America® and was recognized by her peers in Indiana Super Lawyers® as a “Rising Star” in healthcare law.  

Ms. Seng represents hospitals, physicians, multi-specialty clinics and healthcare...

574-237-1129
Heather Delgado, Barnes Thornburg Law Firm, Chicago, Health Care Law Attorney
Partner

Heather F. Delgado is a partner in Barnes & Thornburg LLP’s Chicago office and a member of the firm’s Healthcare Department. Ms. Delgado practices exclusively in the healthcare transactional, regulatory and compliance areas.

Ms. Delgado’s experience includes the representation of healthcare providers, including hospitals, health systems, specialty hospitals, ambulatory surgery centers, multi- and single-specialty medical practices, and a wide variety of healthcare entrepreneurs. During the past several years, Ms. Delgado has devoted a substantial majority of her time and efforts to matters related to hospitals, health systems and group medical practices. Her efforts have included representing these entities in mergers and acquisitions; structuring joint ventures; setting up physician management companies; negotiating and drafting business contracts; drafting and implementing compliance plans; providing legal opinions regarding tax-exempt status, fraud and abuse statute, self referral and Stark implications of hospital-physician relationships; drafting medical staff bylaws; reviewing reimbursement related issues; conducting internal audits and investigations; drafting, implementing, auditing and training on HIPAA policies and procedures; and providing advice and counsel on a broad range of business and legal issues.

312-338-5905
Michael Grubbs, Barnes Thornburg Law Firm, Indianapolis, Healthcare Law Attorney
Partner

J. Michael Grubbs is a partner in the Healthcare Department. He serves as administrator of the department for the Indianapolis, Indiana office. His practice includes representation of healthcare providers before state and federal healthcare regulatory agencies and in related litigation matters. His work also includes resolution of reimbursement and regulatory compliance issues as well as structuring or restructuring ventures and transactions to avoid problems before they arise.

Prior to entering the practice of law in 1988, Mr. Grubbs worked in...

317-231-7224
Erica Woebse, Barnes Thornburg Law Firm, Indianapolis, Cybersecurity and Health Care Law Attorney
Associate

Erica L. Woebse is an associate in Barnes & Thornburg’s Indianapolis office and a member of the firm’s Healthcare Department. Ms. Woebse provides organizational, contracting and strategic guidance to the firm’s healthcare clients.

Ms. Woebse counsels clients on compliance with federal and state healthcare laws and regulations. She assists clients with HIPAA compliance, including by drafting HIPAA policies and procedures; training privacy and security officers; and guiding clients through HIPAA breaches. Ms. Woebse also counsels clients on...

317-231-7838 Read more: http://www.btlaw.com/Erica-L-Woebse/