The OCR ordered the University of Texas MD Anderson Cancer Center to pay $4.3 million in penalties for HIPAA violations after half-hearted and incomplete efforts at encryption.
Judgement Against MD Anderson
“A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. Moreover this is the second summary judgment victory in OCR’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations.”
Encryption Policies Ignored
The Office of Civil Rights (OCR) ordered the University of Texas MD Anderson Cancer Center (MD Anderson) to pay $4,348,000. These were civil money penalties for HIPAA violations because it did not follow its own encryption policies or the HIPAA Rules.
Entities of MD Anderson lost an unencrypted laptop and two flash drives during 2012 and 2013 . The devices contained the electronic personal health information of over 33,500 individuals. Consequently this lack of technical safeguards influenced greatly the decision of OCR.
OCR Serious About Lack of Technical Safeguards
Despite creating policies for encryption, the center failed to follow these or to quickly pursue its implementation after the 2012 and 2013 breaches. As a result it was clear to the courts the organization had failed to follow the HIPAA rule after the investigation.
“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. The $4.3 million is the fourth largest amount ever awarded to the OCR.
Most importantly, it is important to know that having security policies is not sufficient. An organization must observe and follow these policies to protect patients and the entity. Consequently, all organizations must routinely review their plan, train their employees on HIPAA and monitor that everyone follows the plan.