Failure to Encode ePHI Costs Cancer Treatment and Research Center $4.34 Million

June 21, 2018


The Division of Health and Human Services’ OCR has publicized its third HIPAA financial fine of 2018. The $4.34 million civil monetary fine is the fourth biggest HIPAA fine ever issued to settle HIPAA violations.

While most protected units and business associates agree to resolve HIPAA violations and pay the fine, on exceptional occasions the fines are disputed, and the case goes before an administrative law judge (ALJ). The ALJ should decide whether the fines are warranted, and the fine amount is realistic.

The University of Texas MD Anderson Cancer Center (MD Anderson) came across three data breaches in 2012 and 2013 that led to the disclosure of 34,883 patients’ electronic protected health information (ePHI). In April 2012, a laptop computer was thieved from the home of a doctor. The appliance was not encrypted nor safeguarded with a password and had the ePHI of 29,021 people.

The failure to encode ePHI was a breach of 45 C.F.R. § 164.312(a) – The technical protections of the HIPAA Safety Law – as per OCR. The data breaches also created a breach of 45 C.F.R. § 164.502(a) – Permissible uses and revelation of PHI.

OCR decided that the HIPAA violations fell short of ‘deliberate neglect’ and in its place were fined under the ‘reasonable cause’ tier. The reasonable reason is “an action or omission in which a protected unit or business associate knew, or by exercising sensible carefulness would have known, that the action or omission breached an administrative simplification facility, but in which the protected unit or business associate didn’t act with deliberate negligence.”

The fines for these HIPAA breaches is a minimum of $1,000 per breach up to a maximum of $1.5 million for each calendar year. As these breaches were decided to have spanned three years, and 34,883 patients were affected, OCR selected to fine MD Anderson at the maximum level of $1.5 million for each calendar year.

MD Anderson asserted that it was not mandatory to use encryption as the data were used for examination and fell outside of HIPAA. The fine amount was also disputed and was supposed to be too much.

The ALJ differed and decided in favor of OCR. MD Anderson is needed to pay OCR $4,348,000 in civil monetary fines to settle the HIPAA breaches.

“OCR is serious concerning safeguarding health information secrecy and will pursue the court case, if required, to hold units accountable for HIPAA breaches,” said OCR Director Roger Severino. “We are delighted that the magistrate endorsed our imposition of fines since it emphasizes the risks units take if they fail to apply effective protections, like data encryption, when needed to safeguard confidential patient information.”