The press release below from HHS about HIPAA penalties just came across my desk and I thought you might be interested. This $4.3 million penalty involved the Covered Entity failing to encrypt portable devices despite having policies in place that required that encryption be performed on all portable devices. This penalty against the University of Texas Cancer Center resulted from the theft of an un-encrypted laptop from the residence of an employee and the loss of two un-encrypted thumb drives containing the un-encrypted electronic protected health information (ePHI) of over 33,500 individuals.
This appears to be a case of the tech department not knowing the security policies or just flat out ignoring them. Healthcare providers can’t just take their tech staffs assurances of complete security protection for granted. There should always be an audit to insure that your rules are being followed and enforced.
What’s your policy on encrypting mobile/portable devices? Do you enforce that policy? Are all of the USB ports on your desktop PC’s turned off or at least set to encrypt any data that is written through them?
If you don’t know that answers to these questions, maybe it’s time to give me a call so we can develop a plan to deal with this Risk before someone steals one of your notebooks that contains patient information or an employee takes PHI off-site on a flash drive without your knowledge.
Jeff Hoffman
ACT Network Solutions
(847) 639-7000
==================================================================================
Department of Health and Human Services – Office of Civil Rights
Press Release Date: June 18, 2018
Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations
A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. This is the second summary judgment victory in OCR’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations.
MD Anderson is both a degree-granting academic institution and a comprehensive cancer treatment and research center located at the Texas Medical Center in Houston. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals. OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011 , and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013. The ALJ agreed with OCR’s arguments and findings and upheld OCR’s penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals breached.
“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”
MD Anderson claimed that it was not obligated to encrypt its devices, and asserted that the ePHI at issue was for “research,” and thus was not subject to HIPAA’s nondisclosure requirements. MD Anderson further argued that HIPAA’s penalties were unreasonable. The ALJ rejected each of these arguments and stated that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”
If you believe that a person or organization covered by the Privacy and Security Rules (a “covered entity”) violated your health information privacy rights or otherwise violated the Privacy or Security Rules, you may file a complaint with OCR.  For additional information about how to file a complaint, visit OCR’s web page on filing complaints at https://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.