Create a policy, ignore a policy, pay $4 million

by Julia Kyles, CPC on Jun 19, 2018
Providers are not required to encrypt protected health information (PHI), but it's something they should consider. Not only does proper encryption spare a provider the hassle and embarrassment of reporting a breach, but, as a recent article in Medical Practice Compliance Alert warned, it's getting harder for providers to defend the decision not to encrypt. And as the University of Texas MD Anderson Cancer Center just discovered, a provider can expect no mercy when it has a written policy that calls for encryption and suffers a major breach because it failed to follow its own policy.
 
Yesterday's press release from the HHS Office for Civil Rights (OCR) provides details about the summary judgement:
"A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. This is the second summary judgment victory in OCR’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations."
The ALJ's decision contains a breakdown of the civil money penalties levied against the center:
  • $2,000 per day, for each day between March 24, 2011 and January 25, 2013.
  • $1,500,000 per year for the years 2012 and 2013.
MD Anderson had three breach reports in 2012 and 2013 thanks to the theft of an unencrypted laptop from an employee's home and the loss of two unencrypted thumbdrives. Combined, the devices contained PHI for more than 33,500 people. When the OCR investigated, it discovered that MD Anderson had created written policies that called for encryption in 2006. In addition, the center had conducted a risk analysis and determined that the lack of encryption posed a high risk to the security of electronic PHI. To make matters worse:
Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013.
The multiple failures prompted a harsh ruling from the ALJ, who described MD Anderson's conduct after the breach as dilatory and shocking given the high risk to its patients and the fact that the center recognized the risk and restated it many times.
 
And while it may seem hard to believe, MD Anderson reported another breach the day before the ALJ's ruling. The center reported an unauthorized access/disclosure breach via email that involved the PHI of 1,266 patients on May 31.
 
A notice to patients on the center's website provides more details:
On May 3, 2018, an MD Anderson employee sent an email seeking to recruit people for a research study involving people with a history of colon cancer. The employee meant to send the email in a manner that hid the email addresses of the recipients, but accidentally made the email addresses visible to the others who received the email. We were able to stop delivery on some of the emails, but approximately 599 people still received it. These people may have seen the email addresses to which the email was sent and, if they were able to identity anyone from their email address, may have assumed the person was an MD Anderson patient and had a history of colon cancer.
It could be that MD Anderson will be writing another check to the OCR in the near future.
The information contained herein was current as of the publication date. © Copyright DecisionHealth, all rights reserved. Electronic or print redistribution without prior written permission of DecisionHealth is strictly prohibited by federal copyright law.