An administrative law judge (ALJ) has ordered the University of Texas MD Anderson Cancer Center to pay $4.3 million in civil monetary penalties for HIPAA violations. In his summary judgment ruling, the ALJ upheld the civil monetary penalty imposed by the Office for Civil Rights (OCR). The ALJ determined that the OCR’s civil monetary penalty was appropriate to remedy MD Anderson’s failure to encrypt its laptops and USB thumb drives and its unlawful disclosure of the electronic protected health information (ePHI) of more than 33,500 individuals.
The OCR’s investigation of MD Anderson began after MD Anderson suffered three separate data breaches. Throughout 2012 and 2013, an unencrypted laptop that contained ePHI was stolen from the personal residence of an MD Anderson employee and two unencrypted USB thumb drives containing ePHI were lost.
An investigation of MD Anderson revealed that despite the fact that MD Anderson had written encryption policies and had conducted a risk analysis that concluded that the lack of device-level encryption posed a serious threat to the security of ePHI, MD Anderson failed to encrypt all of its electronic devices containing ePHI. When the OCR and MD Anderson were unable to reach a settlement agreement related to MD Anderson’s HIPAA violations, the agency imposed a civil monetary penalty based on the number of days of MD Anderson’s noncompliance with HIPAA and the number of individuals whose ePHI was breached.
In upholding the OCR’s civil monetary penalty, the ALJ rejected MD Anderson’s arguments that it did not violate HIPAA’s regulatory requirements. The ALJ concluded that MD Anderson “recognized a problem, consisting of the vulnerability of its ePHI to unauthorized disclosure including by loss or theft, devised a mechanism to protect ePHI that included encryption of devices, and failed to implement that mechanism.” The ALJ also rejected MD Anderson’s claims that the civil monetary penalty was unreasonable.
It is rare for a HIPAA settlement to come before an ALJ. Generally, OCR investigations result in the negotiation and execution of a resolution agreement between HHS and the covered entity or business associate. The ALJ’s ruling marks only the second summary judgment victory since the OCR began its HIPAA enforcement efforts in the early 2000s. The $4.3 million settlement is the fourth largest HIPAA settlement either awarded to the OCR by an ALJ or obtained through settlement for HIPAA violations.