Director of the Office for Civil Rights v. Univ. of Tex. MD Anderson Cancer Ctr., Decision No. CR5111 (June 1, 2018); HHS Notice of Proposed Determination, Transaction Nos. 12-145395, 12-147543, and 14-175214 (March 24, 2017); HHS Press Release (June 18, 2018)
An administrative law judge (ALJ) has approved a $4.3 million civil monetary penalty against a cancer treatment and research center (a HIPAA covered entity) after protected health information (PHI) of more than 30,000 individuals was breached following the theft of an unencrypted laptop computer from a teleworker’s home and the loss of unencrypted USB drives by two other workforce members. An investigation by HHS’s Office for Civil Rights (OCR) found that, as early as 2006, the covered entity had recognized the need to encrypt devices to address a high risk to PHI, but enterprise-wide encryption was delayed for years and by 2013 still had not been fully implemented. OCR proposed penalties of $2,000 per day from March 2011 to January 2013 for the failure to encrypt, and penalties of $1.5 million per year for 2012 and 2013 for the unauthorized disclosures of PHI. The covered entity challenged the penalties under HHS’s administrative process.
The covered entity argued that full encryption was not required because it had adopted alternative mechanisms such as password protection, device encryption and backup in case of disaster or loss of information, and annual employee training on particular security practices. The ALJ rejected this argument, citing the covered entity’s own decision to focus on organization-wide encryption, its years-long delay in implementing its self-selected mechanism, and the “spectacular” failure of the alternative mechanisms to protect PHI. The ALJ also dismissed the assertion that losing PHI did not constitute a disclosure because OCR could not prove that an unauthorized party accessed the PHI, reasoning that forcing OCR to prove that a third party viewed the PHI would render HIPAA’s protections meaningless. The ALJ rejected the covered entity’s contention that PHI for research purposes is not covered by HIPAA’s privacy rule. The ALJ also ruled that “unsanctioned” acts of third parties, i.e., the person who stole the laptop and the workforce members who failed to follow security policies, did not excuse the covered entity from the consequences of the breaches. Finally, the ALJ upheld the penalties under the “reasonable cause” tier because the covered entity knew or should have known that its failure to encrypt violated HIPAA’s security rule (but its failure did not constitute willful neglect); the undisputed facts showed the covered entity was noncompliant on each day of the period in question; and the $2,000 daily penalty was far below the $50,000 daily maximum authorized by law.
EBIA Comment: The ALJ’s analysis, which framed the question as whether the covered entity took the necessary steps to address an identified risk to PHI on mobile devices, illustrates HIPAA’s focus on risk management. Thus, the covered entity’s liability stemmed from its failure to execute its encryption plan, and did not depend on whether an unauthorized person viewed the PHI, whether individuals suffered harm, or whether the unauthorized disclosures resulted from inadvertence, negligence, or intentional wrongdoing of third parties. And, as we have seen in other cases (see, for example, our article), the failure to take proactive steps to address identified vulnerabilities was cited as an aggravating factor. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.E (“Civil Monetary Penalties”), XXX.D.1 (“Standard: Access Control”), and XXX.D.5 (“Standard: Transmission Security”). You may also be interested in our recorded webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded on 1/17/18).
Contributing Editors: EBIA Staff.