An HHS administrative law judge has ruled that MD Anderson Cancer Center violated HIPAA and must pay $4,348,000 to the HHS Office for Civil Rights.

The violations date back to three separate breach reports in 2012 and 2013. The incidents involved the stealing of an unencrypted laptop from an MD Anderson employee’s residence, as well as the loss of two unencrypted USB thumb drives holding the unencrypted ePHI of more than 33,500 people.

OCR investigated the Houston, Texas-based organization after the reports and found MD Anderson had written encryption policies dating back to 2006. OCR also discovered the health system’s risk analyses had found that the lack of device-level encryption posed a risk to the security of electronic protected health information.

However, MD Anderson didn’t adopt a solution to implement ePHI encryption until 2011. It also didn’t encrypt its devices containing ePHI between March 24, 2011 and January 25, 2013.

MD Anderson said it wasn’t obliged to encrypt its devices, and noted the ePHI in question was used for “research” purposes and therefore wasn’t subject to HIPAA’s nondisclosure requirements. It also argued that HIPAA’s penalties were unreasonable.

But the judge sided with OCR.

When contacted for comment on June 19, MD Anderson sent the following statement via email:

Patient privacy is of extreme importance at The University of Texas MD Anderson Cancer Center, and substantial measures are in place to ensure the protection of private patient information. In all three cases involving the loss or theft of devices reviewed by the Administrative Law Judge (ALJ), there is no evidence any patient information was viewed or any harm to patients was caused. We are disappointed by the ALJ’s ruling, and we are concerned that key exhibits and arguments were not considered. MD Anderson plans to appeal the ruling, which will result in a full review of all of the arguments and evidence. Regardless of the ALJ’s decision, we hope this process brings transparency, accountability and consistency to the Office for Civil Rights’ enforcement process. MD Anderson remains committed to patient privacy, and we will continue our efforts to remain an industry leader in safely protecting patient information.

According to HHS, the $4.3 million amount is the fourth largest sum ever awarded to OCR by an ALJ or secured in a HIPAA settlement.

David Holtzman, CynergisTek’s vice president of compliance strategies, agreed with the ALJ’s decision about MD Anderson.

“This was not an organization who had used their best efforts to safeguard PHI or an organization that was unaware of what its responsibilities were or lacked the resources to take the appropriate measures that it itself had identified,” he said in a phone interview.

Photo: Ildo Frazao, Getty Images