ALJ OKs $4.3M HIPAA Fine on MD Anderson Over Encryption; Layered Security Is Advised

The $4.3 million penalty slapped on MD Anderson Cancer Center for allegedly violating the HIPAA regulations will stand, at least for now. Administrative Law Judge (ALJ) Steven Kessel sided with the HHS Office for Civil Rights (OCR), which fined the Houston health system last year in connection with three breaches that led to the disclosure of 33,500 people’s electronic protected health information (ePHI) when an unencrypted laptop and two thumb drives went missing. MD Anderson appealed, arguing the fines were unreasonable, that it wasn’t required to encrypt the ePHI, and that the information isn’t subject to HIPAA nondisclosure requirements because it’s research related.

But the ALJ wasn’t buying.

“The penalties in this case are reasonable given the gravity of Respondent’s noncompliance and the number of individuals potentially affected,” Kessel said in the decision (No. CR51110). “What is most striking about this case is that Respondent knew for more than five years that its patients’ ePHI was vulnerable to loss and theft and yet, it consistently failed to implement the very measures that it had identified as being necessary to protect that information.”

The tug of war isn’t over, however. MD Anderson said it will appeal. “We hope this process brings transparency, accountability and consistency to the Office for Civil Rights’ enforcement process,” according to a statement.

A lot of HIPAA penalties hit organizations that fall short on HIPAA security risk assessments, but this time it’s also about the alleged failure to follow through, says attorney Richelle Marting, with the Forbes Law Group in Overland Park, Kansas. “It’s not just the thought that counts. You have to do something with your security risk assessment or you will face penalties.”

Don’t put all your eggs in the encryption basket, however, says Alexander Laham, information security manager at Lawrence General Hospital in Massachusetts. While encryption is a no-brainer—“to properly secure your data in conformance with HIPAA security requirements, you need encryption”—it’s enhanced by “layered security,” he says .

This document is only available to subscribers. Please log in or purchase access.


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field