by Evan Sweeney
Jun 18, 2018 4:25pm
An administrative law
judge ruled the University of Texas MD Anderson Cancer Center must pay a $4.3
million penalty issued by the Department of Health and Human Services for HIPAA
violations.
The three data
breaches in question date back to 2012 and 2013, when an unencrypted
laptop was stolen from an MD Anderson employee and two unencrypted USB thumb
drives containing information of 33,500 patients were lost. An investigation by
the HHS Office for Civil Rights found MD Anderson had written encryption
policies dating back to 2006 and an internal risk analysis found a lack of
encryption on hospital-owned devices posed a security risk.
Still, MD Anderson
failed to encrypt its inventory of electronic devices, which prompted OCR to
issue fines for each day of HIPAA noncompliance and for each record that was
exposed. OCR issued the fine in March 2017, citing the provider’s “willful
neglect” and enforcing the maximum available penalty.
“OCR is serious about protecting health
information privacy and will pursue litigation, if necessary, to hold entities
responsible for HIPAA violations,” OCR Director Roger Severino said in a statement. “We are pleased that the judge
upheld our imposition of penalties because it underscores the risks entities
take if they fail to implement effective safeguards, such as data encryption,
when required to protect sensitive patient information.”
In his judgment, the
administrative law judge said the fines were warranted because MD Anderson
“failed to adopt an effective mechanism” to protect patient data. He also
rebuffed an argument by the provider that stolen information is only disclosed
when it is viewed by a third party.
“The plain language of
the regulation doesn't suggest that,” Steven T. Kessel wrote in his decision(PDF). “Moreover, to interpret the
regulation so narrowly as Respondent suggests would render its prohibitions
against unauthorized disclosure to be meaningless. If Respondent had its way,
it and other covered entities could literally cast ePHI to the winds and be
immune from penalty so long as OCR fails to prove that someone else received
and viewed that information.”
Monday’s decision
marks the second summary judgment victory in OCR’s history of HIPAA
enforcement. It is the fourth-largest fine in OCR’s history.
In a statement to
FierceHealthcare, MD Anderson said it plans to appeal the ruling.
"Patient privacy
is of extreme importance at The University of Texas MD Anderson Cancer Center,
and substantial measures are in place to ensure the protection of private
patient information," a spokesperson said in a statement. "In all
three cases involving the loss or theft of devices reviewed by the
Administrative Law Judge (ALJ), there is no evidence any patient information
was viewed or any harm to patients was caused.
"We are disappointed by the ALJ’s ruling, and we are concerned that key exhibits and arguments were not considered. MD Anderson plans to appeal the ruling, which will result in a full review of all of the arguments and evidence. Regardless of the ALJ’s decision, we hope this process brings transparency, accountability and consistency to the Office for Civil Rights’ enforcement process.
"MD Anderson remains committed to patient privacy, and we will continue our efforts to remain an industry leader in safely protecting patient information."
"We are disappointed by the ALJ’s ruling, and we are concerned that key exhibits and arguments were not considered. MD Anderson plans to appeal the ruling, which will result in a full review of all of the arguments and evidence. Regardless of the ALJ’s decision, we hope this process brings transparency, accountability and consistency to the Office for Civil Rights’ enforcement process.
"MD Anderson remains committed to patient privacy, and we will continue our efforts to remain an industry leader in safely protecting patient information."
Editor's Note: This
story has been updated to include a statement from MD Anderson.
No comments:
Post a Comment