It is a rare occurrence when a health care entity challenges the Office for Civil Rights (OCR) regarding proposed fines and penalties for HIPAA violations. In my memory, it has only happened once before.
On June 1, 2018, an Administrative Law Judge (ALJ) granted summary judgment in favor of the OCR against The University of Texas MD Anderson Cancer Center and “sustained the imposition of the following remedies:”
- Civil money penalties of $2,000 per day from March 24, 2011 through January 25, 2013; and
- Civil money penalties of $1,500,000 per year for the years 2012 and 2013.
The Administrative Law Judge (ALJ) stated :”[T]he daily civil money penalties that I impose remedy Respondent’s failure to encrypt electronic devices including laptop computers and USB thumb drives pursuant to the requirements of law. The annual civil money penalties that I impose remedy Respondent’s unlawful disclosure of electronic Protected Health Information (ePHI) relating to about 30,000 individuals in 2012 and more than 3500 individuals in 2013.”
The crux of the ALJ’s decision on MD Anderson’s failure to encrypt was based upon the fact that it was “not only aware of the need to encrypt devices in order to assure that confidential data including ePHI not be improperly disclosed, but it established a policy requiring the encryption and protection of devices containing ePHI. However, and despite this awareness and its own policies, Petitioner made only half-hearted and incomplete efforts at encryption over the ensuing years. As a consequence, the theft of a laptop computer that was not encrypted and the loss of two unencrypted USB thumb drives resulted in the unlawful disclosure of ePHI relating to tens of thousands of Respondent’s patients.”
The ALJ analyzed MD Anderson’s policies from 2006, which acknowledged the need to encrypt data and “repeatedly announced a policy that both required encryption of confidential data and prohibited unsecured storage of such data.” The judgment then stated that “despite identifying the risk of and dangers related to confidential data loss and deciding on encryption of devices as a means of protecting such data, Respondent delayed encryption of laptop devices for years and then, proceeded with encryption at a snail’s pace” and did not begin mass encryption of its laptops until May 2012.
On April 30, 2012, an unencrypted laptop was stolen from a clinician’s home, which contained the names, Social Security numbers, medical record numbers, and treatment and/or research information on almost 30,000 patients. On July 13, 2012, a trainee lost a USB drive while riding an employee shuttle bus, which contained PHI of 2,200 patients, and on November 27, 2013, a visiting researcher lost an unencrypted USB drive that contained the ePHI of 3,600 individuals.
Importantly, the ALJ acknowledged that the HIPAA regulations do not specifically require that devices be encrypted and give covered entities “considerable flexibility” as to how they protect ePHI. The opinion does not stand for the proposition that encryption is now required by HIPAA (it is an “addressable” standard), but that “whatever mechanisms that an entity adopts must be effective.” In this case, the ALJ found that MD Anderson “failed to adopt an effective mechanism to protect its ePHI.”
There are several takeaways from this decision. First, it provides unfortunate precedence supporting OCR’s interpretation of the HIPAA regulations that it can assess a monetary penalty on a daily basis (which has been and will, no doubt, continue to be disputed). Second, it reinforces entities must review existing policies and procedures regarding compliance with the Security Rule and security measures be put in place to protect ePHI (of course, that is required by HIPAA), and policies and procedures are updated to reflect existing circumstances. And third, it makes clear that if a particular method of data security protection is determined to be the preferred method, that measures must be taken to implement the measures in a timely manner.