MD Anderson Fined 4.3 Million for HIPAA Violations
Written by Alexa Treubert
Despite HIPAA being such an important topic, many healthcare organizations fail to comply with the HIPAA privacy and security rules. Chiefly, these rules protect patients personal health information (PHI). The Standards for Privacy of Individually Identifiable Health Information, commonly known as the HIPAA Privacy Rule, sets the national standard for protecting patient’s private information. The Office for Civil Rights (OCR) monitors this rule. Due to several complaints, the OCR identified that MD Anderson failed to comply with the HIPAA Privacy Rule, and now faces the consequences of having unprotected data.
What Happened
A distinguished cancer center, University of Texas MD Anderson Cancer Center (MD Anderson) had 3 separate security breaches throughout 2012 and 2013. Descriptions of the breaches are found in the Notice of Proposed Determination. In the Findings of Fact, MD Anderson creates, maintains, receives, and transmits PHI. Overall, the OCR identified 3 security breaches connected to the released PHI of 34,833 individuals. Below is a summary of the 3 different breaches, all referencing information from the Notice of Proposed Determination.
“The first breach occurred on April 30, 2012, and involved the theft of an unencrypted laptop computer that contained the electronic protected health information (ePHI) for 29,021 individuals.”
The doctor who reported the issue did not have a password protected laptop.
“The second breach occurred on July 13, 2012, and involved the loss of an unencrypted universal serial bus (USB) thumb drive that contained the ePHI for 2,264 individuals.”
Then, an intern lost a USB drive containing ePHI and could not locate the hard drive.
“The third breach occurred on December 2, 2013, and also involved the loss of an unencrypted USB thumb drive.”
Finally, a visiting researcher from Brazil misplaced the thumb drive on her way home for Thanksgiving break.
The Result
Despite having written encryption requirements dating back to 2007, the company failed to implement the solutions company-wide. MD Anderson’s Compliance Risk Analysis for 2011 stated that there was no enterprise-wide solution to encrypt all laptops and mobile computing device and that employees were downloading ePHI onto portable devices for uses outside the institution. As a result, the judge ruled in favor of the OCR and found MD Anderson guilty of $1,348,000 in access controls and $3 million in impermissible disclosures.
Any massive HIPAA breach, like MD Anderson’s, raises a lot of eyebrows in the healthcare community. Have you encrypted your data? Are you handling PHI in a secure way? Are you the next practice that OCR will fine? If you have any questions regarding HIPAA compliance, feel free to contact one of our representatives. Also, check out our massive list of HIPAA specific courses here. Preventing a problem is much easier than handling one – just ask MD Anderson.
Sources
U.S. Department of Health and Human Services. “Judge Rules in Favor of OCR and Requires a Texas Cancer Center to Pay $4.3 Million in Penalties for HIPAA Violations.” HHS.gov, HHS.gov, 18 June 2018, www.hhs.gov/about/news/2018/06/18/judge-rules-in-favor-of-ocr-and-requires-texas-cancer-center-to-pay-4.3-million-in-penalties-for-hipaa-violations.html.
