The College of Texas MD Anderson Most cancers Middle settled with the U.S. Division of Well being and Human Providers’ Workplace of Civil Rights for $four,348,000 for HIPAA violations, which was upheld by the HHS administrative legislation choose.
The nice is the fourth largest financial settlement with OCR.
MD Anderson suffered three separate knowledge breaches in 2012 and 2013 involving the theft of an unencrypted laptop computer and the lack of two USB thumb drives containing the unencrypted knowledge of greater than 33,500 sufferers.
The OCR investigation that adopted discovered the most cancers middle hadn’t up to date its encryption insurance policies since 2006. Additional, a threat evaluation by MD Anderson discovered that the dearth of encryption posed a high-risk to the lack of affected person knowledge.
Regardless of these observations, OCR officers mentioned that MD Anderson failed to start adopting encryption insurance policies for affected person knowledge till 2011. Even then, it didn’t encrypt its stock of gadgets containing affected person knowledge between 2011 and 2013.
MD Anderson officers argued that the information didn’t should be encrypted because the affected person knowledge was for analysis functions and never topic to HIPAA. Additional, they mentioned the OCR nice was “unreasonable.”
However the HHS administrative legislation choose sided with OCR and located the penalty was cheap, “given the gravity of [MD Anderson’s] noncompliance and the variety of people doubtlessly affected” and “are minuscule when in comparison with the respondent’s dimension and the amount of enterprise that it does.”
“[MD Anderson’s] dilatory conduct is surprising given the excessive threat to its sufferers ensuing from the unauthorized disclosure of ePHI, a threat that respondent not solely acknowledged however that it restated many instances,” Steven Kessel, the executive legislation choose, wrote in his choice.
OCR Director Roger Severino mentioned in a press release that the workplace is happy the choose upheld its penalties. “It underscores the dangers entities take in the event that they fail to implement efficient safeguards, comparable to knowledge encryption, when required to guard delicate affected person data,” Severino added.
MD Anderson shouldn’t be alone in failing to encrypt its knowledge regardless of HIPAA necessities to take action.
Earlier this 12 months, Fresenius Medical Care North America settled with OCR for $three.5 million following an OCR investigation of a string of breaches in 2013. The well being system didn’t encrypt well being knowledge on its gadgets.
Twitter: @JessieFDavisEmail the author: firstname.lastname@example.org