January 30, 2023

Volume XIII, Number 30

Advertisement

January 30, 2023

Subscribe to Latest Legal News and Analysis

Administrative Law Judge Upholds $4.3 Million Fine Against Texas Treatment and Research Center for HIPAA Violations

An administrative law judge (ALJ) has ordered the University of Texas MD Anderson Cancer Center to pay $4.3 million in civil monetary penalties for HIPAA violations. In his summary judgment ruling, the ALJ upheld the civil monetary penalty imposed by the Office for Civil Rights (OCR). The ALJ determined that the OCR’s civil monetary penalty was appropriate to remedy MD Anderson’s failure to encrypt its laptops and USB thumb drives and its unlawful disclosure of the electronic protected health information (ePHI) of more than 33,500 individuals.

The OCR’s investigation of MD Anderson began after MD Anderson suffered three separate data breaches. Throughout 2012 and 2013, an unencrypted laptop that contained ePHI was stolen from the personal residence of an MD Anderson employee and two unencrypted USB thumb drives containing ePHI were lost.

An investigation of MD Anderson revealed that despite the fact that MD Anderson had written encryption policies and had conducted a risk analysis that concluded that the lack of device-level encryption posed a serious threat to the security of ePHI, MD Anderson failed to encrypt all of its electronic devices containing ePHI. When the OCR and MD Anderson were unable to reach a settlement agreement related to MD Anderson’s HIPAA violations, the agency imposed a civil monetary penalty based on the number of days of MD Anderson’s noncompliance with HIPAA and the number of individuals whose ePHI was breached.

In upholding the OCR’s civil monetary penalty, the ALJ rejected MD Anderson’s arguments that it did not violate HIPAA’s regulatory requirements. The ALJ concluded that MD Anderson “recognized a problem, consisting of the vulnerability of its ePHI to unauthorized disclosure including by loss or theft, devised a mechanism to protect ePHI that included encryption of devices, and failed to implement that mechanism.” The ALJ also rejected MD Anderson’s claims that the civil monetary penalty was unreasonable.

It is rare for a HIPAA settlement to come before an ALJ. Generally, OCR investigations result in the negotiation and execution of a resolution agreement between HHS and the covered entity or business associate. The ALJ’s ruling marks only the second summary judgment victory since the OCR began its HIPAA enforcement efforts in the early 2000s. The $4.3 million settlement is the fourth largest HIPAA settlement either awarded to the OCR by an ALJ or obtained through settlement for HIPAA violations.

© 2023 BARNES & THORNBURG LLPNational Law Review, Volume VIII, Number 177
Advertisement
Advertisement
Advertisement

About this Author

Laura D. Seng, Barnes Thornburg Law Firm, South Bend, Healthcare Attorney
Partner

Laura Seng is a partner in Barnes & Thornburg LLP’s South Bend, Indiana, office and is the chair of firm's national Healthcare Department. Ms. Seng concentrates her practice in regulatory compliance, transactional matters and medical-legal business issues for healthcare entities and individual providers. She is listed as a notable healthcare lawyer by Best Lawyers in America® and was recognized by her peers in Indiana Super Lawyers® as a “Rising Star” in healthcare law.  

Ms. Seng represents hospitals, physicians, multi-specialty clinics and healthcare...

574-237-1129
Heather Delgado Healthcare Attorney
Partner

Healthcare providers depend upon Heather Delgado for her commitment to responsiveness and practical legal advice. Heather focuses on finding the right solution for her clients. She is valued for her ability to overcome the obstacles her clients face and for her skill in applying complex laws and regulations to their business practices.

Heather’s experience includes the representation of healthcare providers, including hospitals, health systems, specialty hospitals, ambulatory surgery centers, multi- and single-specialty medical practices, and a wide variety of healthcare...

312-338-5905
Michael Grubbs, Barnes Thornburg Law Firm, Indianapolis, Healthcare Law Attorney
Partner

J. Michael Grubbs is a partner in the Healthcare Department. He serves as administrator of the department for the Indianapolis, Indiana office. His practice includes representation of healthcare providers before state and federal healthcare regulatory agencies and in related litigation matters. His work also includes resolution of reimbursement and regulatory compliance issues as well as structuring or restructuring ventures and transactions to avoid problems before they arise.

Prior to entering the practice of law in 1988, Mr. Grubbs worked in...

317-231-7224
Erica Woebse, Barnes Thornburg Law Firm, Indianapolis, Cybersecurity and Health Care Law Attorney
Associate

Erica L. Woebse is an associate in Barnes & Thornburg’s Indianapolis office and a member of the firm’s Healthcare Department. Ms. Woebse provides organizational, contracting and strategic guidance to the firm’s healthcare clients.

Ms. Woebse counsels clients on compliance with federal and state healthcare laws and regulations. She assists clients with HIPAA compliance, including by drafting HIPAA policies and procedures; training privacy and security officers; and guiding clients through HIPAA breaches. Ms. Woebse also counsels clients on...

317-231-7838 Read more: http://www.btlaw.com/Erica-L-Woebse/
Advertisement
Advertisement
Advertisement