The Department of Health and Human Services’ Office for Civil Rights has announced its third HIPAA financial penalty of 2018. The $4.34 million civil monetary penalty is the fourth largest HIPAA penalty ever issued to resolve HIPAA violations.

While most covered entities and business associates agree to settle HIPAA violations and pay the penalty, on rare occasions the penalties are contested, and the case goes before an administrative law judge (ALJ). The ALJ must determine whether the penalties are justified, and the penalty amount is reasonable.

The University of Texas MD Anderson Cancer Center (MD Anderson) experienced three data breaches in 2012 and 2013 that resulted in the exposure of 34,883 patients’ electronic protected health information (ePHI). In April 2012, a laptop computer was stolen from the home of a physician. The device was not encrypted nor protected with a password and contained the ePHI of 29,021 individuals.

In July 2012, a summer intern lost a zip drive on which an Excel spreadsheet containing the ePHI of 2,264 patients had been saved. The device was not encrypted nor protected with a password. In December 2013, a visiting researcher lost an unencrypted and non-password protected zip drive containing the ePHI of 3,598 patients.

In addition to the loss of the devices, the lack of security controls on the laptop meant family members of the physician cold have viewed ePHI stored on the computer. The second zip drive was usually left unprotected in the researcher’s tray on her desk.

OCR investigated the breaches to determine whether HIPAA Rules had been followed and if the breaches could have been prevented had appropriate controls been implemented. OCR determined that MD Anderson had failed to comply with multiple requirements of HIPAA.

While the use of encryption is not mandatory, if the decision is taken not to encrypt ePHI, equivalent safeguards must be implemented in its place. In this case, MD Anderson had conducted a risk analysis and determined that the lack of encryption posed a serious threat to the confidentiality of ePHI. To manage that risk and reduce it to a reasonable level, policies had been developed in 2006 requiring the use of encryption on all portable electronic devices that contained ePHI.

On multiple occasions MD Anderson had highlighted the serious risk to the confidentiality of ePHI, yet failed to implement encryption until May 24, 2011, and even then it took until January 25, 2018 for encryption to be implemented on 98% of its devices.

The failure to encrypt ePHI constituted a violation of 45 C.F.R. § 164.312(a) – The technical safeguards of the HIPAA Security Rule – according to OCR. The data breaches also constituted a violation of 45 C.F.R. § 164.502(a) – Allowable uses and disclosure of PHI.

OCR determined that the HIPAA violations fell short of ‘willful neglect’ and instead were penalized under the ‘reasonable cause’ tier. Reasonable cause is “an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.”

The penalties for these HIPAA violations is a minimum of $1,000 per violation up to a maximum of $1.5 million per calendar year. Since these violations were determined to have spanned three years, and 34,883 patients were impacted, OCR chose to penalize MD Anderson at the maximum level of $1.5 million per calendar year.

MD Anderson claimed that it was not required to use encryption as the data were used for research and fell outside of HIPAA. The penalty amount was also contested and was thought to be excessive.

The ALJ disagreed and ruled in favor of OCR. MD Anderson is required to pay OCR $4,348,000 in civil monetary penalties to resolve the HIPAA violations.

“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”