Doctor concerned with health care law

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Health Law Daily, June 19, 2018

Texas cancer center to pay $4.3 million in penalties ePHI breaches

By Elizabeth M. Dries, J.D.

The University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) when it failed to consistently encrypt its inventory of electronic devices containing electronic protected health information (ePHI), which allowed it to be disclosed. The Departmental Appeals Board (DAB) granted summary judgment to the HHS Office of Civil Rights (OCR) on all issues ruling that MD Anderson was obligated to encrypt all its electronic devices and the ePHI at issue was not research and subject to HIPAA’s nondisclosure requirements. Furthermore, the DAB found the penalties reasonable in light of the offense (Director of the Office for Civil Rights v. The University of Texas MD Anderson Cancer Center, Docket No. C-17-854, Decision No. CR5111, June 1, 2018).

Breach and penalties. MD Anderson operates as both an academic institution and a cancer treatment and research center. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from an employee’s home and the loss of two unencrypted universal thumb drives, both of which contained ePHI for over 33,500 individuals. MD Anderson had formal encryption policies beginning in 2006 and had conducted risk analyses that found the lack of device level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an institutional wide solution to implement encryption of ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013. The OCR imposed civil money penalties on MD Anderson for each day of MD Anderson’s noncompliance with HIPAA and for each record of individuals that were breached totaling $4,348,000.

Obligation to implement solutions. On appeal, MD Anderson argued that the institution was under no obligation to encrypt its electronic devices under HIPAA and it did not commit an unlawful disclosure because there was no indication that the electronic information was viewed by anyone. It further argued the ePHI at issue was research and not subject to HIPAA’s nondisclosure requirements. In addition, the civil money penalties imposed were unreasonable. Both arguments were rejected by the DAB. While encryption is not a mechanism specifically dictated by the regulations, it was the mechanism that MD Anderson chose to protect its ePHI contained on portable devices. Once MD Anderson elected to use encryption it was obligated to implement it consistently. In addition, the DAB reasoned that lost information must not be viewed in order to be disclosed, but merely released. MD Anderson’s assertion that HIPPAA doesn’t apply because the ePHI contained in the lost and stolen devices was research information was also rejected as the lost information contained names, addresses, social security number, medical diagnoses and treatment plans of patients. The duration and amount of the penalties the OCR imposed was reasonable in light of the large number of individuals violated, the number of days the breach went on and the size of the institution.

Companies: The University of Texas MD Anderson Center

MainStory: TopStory ConfidentialityNews EHRNews HIPAANews

Back to Top

Health Law Daily

Introducing Wolters Kluwer Health Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.