The U.S. Department of Health and Human Services ruled that The University of Texas MD Anderson Cancer Center violated the HIPAA Act and was ordered to pay $4.3 million to the OCR.
MD Anderson is both a degree-granting academic institution and a comprehensive cancer treatment and research center located in Houston.
The OCR investigated MD Anderson following three separate data breach reported between 2012 and 2013 involving the theft of an unencrypted laptop and the loss of 2 unencrypted USB thumb drives which contained unencrypted electronic protected health information (ePHI) for over 33,500 individuals.
The OCR’s investigation found that even though MD Anderson had written encryption policies, their finding indicated that MD did not properly impose them and that their activities posed a high risk to the security of individual’s ePHI.
The US Dept. or Health agreed with OCR’s arguments and upheld the OCR’s penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals
“We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption when required to protect sensitive patient information,” said OCR Director Roger Severino.
The Take-Away: This case is hard proof that the handling of electronic personal health information is serious business and that if you do not have AND FOLLOW a strict digital security procedure to keep your data safe and secure at all times then you can be hit with massive fines and penalties.
The Notice of Proposed Determination and the ALJ’s opinion may be found on the OCR website at: