An administrative law judge (“ALJ”) recently ruled that the University of Texas MD Anderson Cancer Center (“MD Anderson”) in Houston must pay a $4.3 million fine to HHS Office of Civil Rights (“OCR”) for HIPAA data privacy and security violations. It is the fourth largest HIPAA-related settlement ever paid to the OCR. The ALJ fines included daily fines for MD Anderson’s non-compliance over a 22-month period and annual fines of $1.5 million for each of two calendar years. With respect to the $4.3 million penalty, the ALJ noted that MD Anderson is a “multi-billion dollar per year business” and “remedies in this case need to be more than a pinprick in order to assure that [MD Anderson] and similarly situated entities comply with HIPAA’s non-disclosure requirements.” MD Anderson plans to appeal this decision.
In 2012 and 2013, a series of data breaches occurred at MD Anderson: (i) an employee’s laptop was stolen; (ii) a company trainee lost a thumb drive; and (iii) a visiting researcher lost another thumb drive. Altogether, these devices contained records of approximately 33,800 patients. The OCR’s investigation revealed that at the time of these breaches, MD Anderson had written policies requiring encryption. Notwithstanding the policies, MD Anderson did not begin encrypting laptops for multiple years thereafter and the ALJ noted in his written opinion that MD Anderson “made only half-hearted and incomplete efforts at encryption.” MD Anderson recognized the need to encrypt data in 2006. The ALJ opinion noted that as of November 2013 more than 4,400 MD Anderson computers were not encrypted and that as of January 2014 more than 2,600 MD Anderson computers were not encrypted. Further, an MD Anderson 2011 risk analysis had identified the lack of an enterprise-wide encryption solution as a “high risk” area. Because the lost health records were not encrypted, the OCR determined that MD Anderson violated the HIPAA privacy and security rules.
The MD Anderson ruling demonstrates the importance of an effective HIPAA security program and the importance of timely efforts to ensure full compliance. In particular, (i) areas identified as “high risk” in HIPAA risk analyses should be addressed as quickly as possible; and (ii) covered entities and business associates should develop and implement their policies. The amount of penalties in this matter serves as an important reminder of the costly impact of HIPAA non-compliance.