The University of Texas MD Anderson Cancer Center (MD Anderson) will have to pay more than $4.3 million in HIPAA fines because of three separate data breaches that occurred in 2012 and 2013.

The recent press release from the Office for Civil Rights (OCR) stated that a U.S. Department of Health and Human Services Administrative Law Judge (ALJ) ruled in favor of the OCR regarding these data breaches.  The data breaches occurred because lost or stolen devices were not encrypted; a laptop was stolen from an employee’s residence and two USB drives were lost.  These breaches affected more than 33,500 patients.

During the OCR’s investigation of the breaches, they discovered MD Anderson had encryption policies in place as far back as 2006, and their risk assessment reported that the lack of encryption on mobile devices posed a high risk to the security of the electronic protected health information (ePHI) contained on such devices.  However, MD Anderson did not implement encryption until 2011 and still did not encrypt all devices during the time in which these breaches occurred.

MD Anderson claimed that there was no obligation to encrypt such devices as the information contained on them was for “research” purposes.  Additionally, MD Anderson claimed that the HIPAA fines were unreasonable.

The ALJ rejected the arguments and said, “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI.”

Additionally, the OCR director Roger Severino said, the “OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations.  Severino also stated that the OCR is pleased the ALJ upheld the “imposition of penalties,” as it highlights the risks that covered entities and business associates take when they fail to implement effective safeguards.

This is a clear reminder that even though encryption is considered an addressable, as opposed to a required, safeguard, health care entities should implement encryption methods unless it is financially unfeasible for them.

To conduct your risk assessment or learn more about what safeguards you should implement to help protect your organization against such large fines, join HIPAAgps today.