Failure to Encrypt ePHI Costs Cancer Cure and Research Center $4.34 Million

Jun 21, 2018


The Division of Health and Human Services’ OCR has declared its third HIPAA financial penalty of 2018. The $4.34 million civil monetary fine is the fourth biggest HIPAA fine ever issued to settle HIPAA breaches.

While most protected units and business associates agree to resolve HIPAA breaches and pay the fine, on exceptional occasions the fines are disputed, and the case goes before an administrative law judge (ALJ). The ALJ should decide whether the fines are correct, and the fine amount is reasonable.

The University of Texas MD Anderson Cancer Center (MD Anderson) suffered three data breaches in 2012 and 2013 that led to the disclosure of 34,883 patients’ electronic protected health information (ePHI). In April 2012, a laptop computer was thieved from the home of a doctor. The appliance was not encrypted nor safeguarded with a password and had the ePHI of 29,021 people.

In July 2012, a summer medical student misplaced a zip drive on which an Excel spreadsheet having the ePHI of 2,264 patients had been saved. The appliance was not encrypted nor safeguarded with a password. In December 2013, a visiting scientist lost an unencrypted and non-password safeguarded zip drive having the ePHI of 3,598 patients.

Besides the loss of the appliances, the lack of safety controls on the laptop implied family members of the doctor could have seen ePHI stored on the computer. The second zip drive was generally left insecure in the scientist’s tray on her desk.

OCR probed the breaches to decide whether HIPAA Laws had been obeyed and if the breaches might have been avoided had proper controls been applied. OCR decided that MD Anderson had failed to abide by several requirements of HIPAA.

Although the use of encryption is not compulsory, if the decision is taken not to encrypt ePHI, comparable protections should be applied in its place. In this instance, MD Anderson had carried out a risk analysis and decided that the lack of encryption posed a grave danger to the secrecy of ePHI. To manage that danger and decrease it to a sensible level, plans had been developed in 2006 needing the use of encryption on all moveable electronic appliances that had ePHI.

On several occasions MD Anderson had emphasized the grave danger to the secrecy of ePHI, however, failed to apply encryption until May 24, 2011, and even then it took until January 25, 2018 for encryption to be applied on 98% of its appliances.

The failure to encrypt ePHI amounted to a breach of 45 C.F.R. § 164.312(a) – The technical protections of the HIPAA Safety Law – as per OCR. The data breaches also constituted a breach of 45 C.F.R. § 164.502(a) – Permissible uses and exposure of PHI.

OCR decided that the HIPAA breaches fell short of ‘deliberate neglect’ and in its place were fined under the ‘realistic cause’ tier. The realistic cause is “an act or omission in which a protected unit or business associate knew, or by exercising realistic carefulness would have known, that the act or error breached an administrative simplification provision, however in which the protected unit or business associate didn’t act with deliberate negligence.”

The fines for these HIPAA breaches is a minimum of $1,000 per breach up to a maximum of $1.5 million per calendar year. As these breaches were decided to have spanned three years, and 34,883 patients were affected, OCR decided to penalize MD Anderson at the maximum level of $1.5 million for each calendar year.

MD Anderson asserted that it was not essential to use encryption as the data were used for research and fell outside of HIPAA. The fine amount was also disputed and was thought to be excessive.

The ALJ opposed and ruled in favor of OCR. MD Anderson is needed to pay OCR $4,348,000 in civil monetary fines to settle the HIPAA breaches.

“OCR is sincere about safeguarding health information secrecy and will pursue the court case, if required, to hold units accountable for HIPAA breaches,” said OCR Director Roger Severino. “We are delighted that the judge supported our imposition of fines because it highlights the dangers units take if they fail to apply effective protections, like data encryption, when required to safeguard confidential patient information.”