The Departmental Appeals Board of the Department of Health and Human Services (“Board”) has granted summary judgment against the University of Texas MD Anderson Cancer Center (“Center”) and upheld the imposition of $4.3 million dollars in penalties against the Center for violations of HIPAA’s privacy and security rules. In this case, the personal medical data of more than 33,000 individuals was exposed through the theft of a laptop and the loss of unencrypted thumb drives. None of these devices was encrypted, and the laptop was not password protected.
The Board found the Center had made only “half-hearted and incomplete efforts” to encrypt or otherwise protect mobile devices containing electronic protected health information (“ePHI”). The Board determined that these efforts were much delayed despite the Center’s recognition of the risks and its establishment of a policy for encryption and protection of mobile devices. Specifically, the Board ruled that:
- Although HIPAA does not specifically require the encryption of ePHI, it does require the implementation of appropriate safeguards. The Center chose encryption as its method for safeguarding ePHI on mobile devices, but failed to timely and fully implement that policy or to implement alternative measures.
- The ePHI contained in the lost and stolen devices was “disclosed” within the meaning of HIPAA, even though there is no proof that anyone ever accessed it. The Board distinguished this case from private lawsuits for damages caused by the disclosure of information, which may apply a different standard for proof of harm.
- The fact that the information may have been used in research does not shield it from HIPAA’s requirements. The Board left open the possibility that the Center might have made a more sustainable argument if it had more specifically segregated its research function from its clinical function.
- The Center is responsible for the actions of its employees who perform work functions, even if those employees violated the Center’s policy for encryption.
- The Office of Civil Rights reasonably determined the penalties to apply based on the Center’s awareness of the risks posed by its failure to encrypt, its delays in implementing its policy of encryption, and the number of individuals affected.
The Center made several assertions beyond compliance with the HIPAA regulations, arguing that: (i) HIPAA does not extend to it as a state governmental entity; (ii) the penalties exceed statutory limits; and (iii) the penalties violate the excessive fines provision of the Eighth Amendment of the U.S. Constitution. The Board declined to address these arguments, which it viewed as lying beyond the scope of its delegated authority.
As it stands, the decision by the Board reminds covered entities and business associates that policies alone are not sufficient. It is necessary to actually implement those policies on a thorough and timely basis. More specifically, it highlights the dangers of placing unprotected information on a mobile device and the need for appropriate controls to minimize the risks that apply to those devices.
The Board’s decision may not be the last word in this case. The fact that the case went to the Board is itself unusual. Most HIPAA matters of this nature have ended in a settlement agreement with the Office of Civil Rights. The Center apparently chose not to enter into such an agreement and has stated its intent to contest the Board’s ruling.