University of Texas MD Anderson Cancer Center Ordered to Pay $4.3 Million HIPAA Violation Penalty

The Department of Health and Human Services’ Office for Civil Rights recently issued its fourth largest HIPAA violation penalty to The University of Texas MD Anderson Cancer Center (MD Anderson). The civil monetary penalty of $4,348,000 resolves HIPAA violations that contributed to three data breaches in 2012 and 2013.

After MD Anderson submitted the three breach reports in 2012 and 2013, the institution was investigated by OCR to find out if the breaches were due to MD Anderson’s failure to comply with HIPAA Rules. The three breaches involved the theft of portable devices containing electronic protected health information (ePHI) of patients. One was an unencrypted laptop computer in the possession of an MD Anderson employee and two were unencrypted USB thumb drives. The ePHI of 34,883 patients was compromised and may have fallen in the hands of unauthorized individuals.

MD Anderson did conduct the HIPAA-required risk analysis, which revealed the risk to the integrity, confidentiality, and availability of ePHI from using unencrypted devices. In response to the analysis, in 2006, MD Anderson created a policy that required the encryption of all portable storage devices containing ePHI.

Even though policies called for the use of encryption, encryption was not implemented until March 24, 2011. When encryption was implemented, it was not implemented on all portable devices in its inventory. MD Anderson reported to OCR that by January 25, 2013, it had only encrypted 98% of its computers. If MD Anderson managed to encrypt all portable electronic devices that contained ePHI, it would have been possible to avoid all three breaches.

One of the breches involved the theft of a laptop from Dr. Randall Millikan’s home on April 30, 2012. The laptop did not have password protection and the ePHI stored on the device was not encrypted. Dr. Randall’s family members could have viewed the ePHI, as could the thief.

The first USB drive, which contained the ePHI of 2,264 individuals, was lost around July 12, 2012 by a summer intern. The second USB drive, which was not encrypted nor password protected, was lost by a researcher from Brazil.

From 2010 to 2011, MD Anderson’s Information Security Program and Annual Reports expressed clearly that using mobile media with ePHI was a critical risk area. According to the risk analysis,   employees were downloading electronic PHI on portable storage devices and using them outside the work premises. Not addressing this risk violated 45 C.F.R. § 164.312(a)(2)(iv) and MD Anderson’s own policies.

OCR issued a financial penalty to be paid by MD Anderson, but the institution found the penalty unreasonable and disagreed with the decision. According to MD Anderson, they were not required to encrypt data because the data were utilized for research, and research was not covered by HIPAA’s nondisclosure requirements. The case then went before an Administrative Law Judge for adjudication.

OCR thought that MD Anderson should be penalized and applied $1.5 million for each breach for calendar year 2011, calendar year 2012 and calendar year 2013. Administrative Law Judge Steven T. Kessell issued a summary judgement in favor of OCR to resolve the violation of 45 C.F.R. § 164.312(a) for Technical Safeguards; encryption, and 45 C.F.R. § 164.502(a) for the impermissible disclosure of ePHI.