An administrative judge ruled in June that the University of Texas MD Anderson Cancer Center violated HIPAA after a laptop was stolen from an employees’ home and 2 USB devices were lost. In only the second summary judgment related to HIPAA, the fourth largest HIPAA settlement on record was handed down: just over $4.3 million.
The breaches, from 2012 and 2013, were on unencrypted electronic devices. The federal Office for Civil Rights (OCR) within the Department of Health and Human Services found the organization had encryption policies, knew unencrypted devices were at risk, but had not taken steps to fully remedy the situation. MD Anderson said it had tried their best to get devices encrypted. But going through summary judgment is a challenge, even for large organizations like MD Anderson.
An encryption debacle
According to court documents, MD Anderson knew its transportable media was at risk for breaches and had written policies to encrypt or place other access controls on them. But Steven T. Kessel, an administrative law judge, said the organization “made only half-hearted and incomplete efforts at encryption,” and, after delaying for years, “proceeded with encryption at a snail’s pace.”
He was referring to the timetable noted in the judgment. MD Anderson has records from 2006 showing encryption should be performed. In 2009, when no laptops had been encrypted, they put efforts on hold because of financial constraints. In 2010, after having a laptop stolen and other records lost, their director of information security proposed revamping their efforts.
According to court documents, they did not encrypt or use other means to secure devices until 2012. Even then, about 10% of devices were encrypted. They only purchased encrypted USBs after a theft in 2012. The laptop stolen from an employee’s residence in 2013 was neither encrypted nor password protected.
MD Anderson refused to settle with OCR. Using some “unique” arguments, they contended that they did not violate HIPAA, according to Michael Chase, a law partner with Baird Holm LLP, based in Omaha. They felt they should not pay the penalties because of lack of proof of disclosure, encryption technicalities, and unreasonable penalties. “And the judge disagreed with all of those positions,” Chase said.
First, MD Anderson claimed it was not proven that the electronic protected health information (ePHI) on the devices was actually disclosed, no proof it was read. The judge did not buy this theory, saying the fact that it was released met the requirement.
“If Respondent had its way, it and other covered entities could literally cast ePHI to the winds and be immune from penalty so long as OCR fails to prove that someone else received and viewed that information,” Kessel wrote in his ruling.
Second, MD Anderson claimed the stolen information should have been considered research and not subject to HIPAA regulations. The judge countered that a regulatory mechanism can be used for separating research for medical information, but this had not occurred with this ePHI.
MD Anderson also argued that the employees responsible for the devices were not acting within their scope of work. Though the employees might not have been following the company’s policy, they were acting as employees during the losses.
In addition, MD Anderson argued that it made substantial efforts to complete their device encryption, so should have been given a break. The judge decided, “the bottom line is that whatever mechanisms an entity adopts must be effective.”
Good faith efforts may no longer be enough to mollify OCR, particularly following previous breaches. “Lots of organizations have good policies and procedures but fail to implement and follow them,” Chase said. “OCR has demonstrated that it isn’t buying [those arguments] anymore.” The requirement for encryption has been around for a long time, he said.
The price to pay
About 34,000 individuals’ ePHI was breached because of the laptop theft and USB losses. MD Anderson pursued summary judgment proceedings (as opposed to a settlement with OCR) because they felt the OCR’s penalties should not have exceeded $100,000 a year.
The judge assessed MD Anderson $2,000 per day for each day of non-compliance (nearly 2 years). He also laid down a civil monetary penalty of $1.5 million for 2012 and 2013. Though stringent, he asserted in his opinion that it comes to less than $90 for each violation.
“The penalties are miniscule when compared with Respondent’s size and the volume of business that it does,” Kessel said. “Remedies in this case need to be more than a pinprick in order to assure that Respondent and similarly situated entities comply with HIPAA’s non-disclosure requirements.”
Chase said organizations need to remember that, while encryption and other mitigation efforts may appear to cost a lot of money, it’s likely less than the $4.3 million penalty assessed against MD Anderson. All providers need to inventory all devices containing ePHI, including personal computers and USB drives that leave the premises.
Many doctors want to use their personal devices for calendars, email, and texts, but these devices may not be encrypted. Having a central person controlling ePHI inventory will allow an organization to say whether a stolen device contains ePHI or if the device was encrypted.
Groups need to analyze where ePHI is stored, the function of those devices, and how the policies and procedures work to protect those devices. The information should also be updated on an ongoing basis. This can be challenging for large organizations because they have so many devices to track. Smaller organizations often fall short in this regard because they do not have the resources.
“It may be a matter of engaging an outside party to do the total backroom IT function, conduct or review a security risk analysis, and then help mitigate those risks found on the risk analysis,” Chase said. “Because it only takes 1 lost laptop or iPhone, and you are dealing with millions in settlement amounts, legal fees, and reputational costs.”