Categories & Search

Hospital Hit with $4.3 Million Fine for “Snail’s Pace” HIPAA Compliance

Healthcare organizations take note: not following your own data security rules can be costly, very costly. And the more time it takes to comply, the faster the fines stack up.

An administrative law judge recently upheld the fourth largest HIPAA fine – a $4.3 million penalty – issued to the University of Texas MD Anderson Cancer Center for not following its own data security policies. MD Anderson's cyber program required the encryption of devices containing electronic protected health information or ePHI. 

In three separate instances dating back to 2012 and 2013, ePHI for more than 35,000 individuals was exposed when two unencrypted thumb drives and a laptop went missing.

It was only after the theft of the unencrypted laptop containing the ePHI of approximately 30,000 individuals that MD Anderson began mass encryption of its laptops. This was in May 2012, six years after MD Anderson wrote its policies requiring the encryption of laptops. MD Anderson’s 2006 policy also required the encryption of ePHI on transportable media. But it did not distribute encrypted USB devices until September 2012, two months after one of the two unencrypted thumb drives were lost. The second unencrypted thumb drive was lost in November 2013. Collectively, the two thumb drives contained the ePHI of more than 5,800 individuals.

The ALJ found that, despite enacting encryption policies in 2006 designed to implement HIPAA’s data security requirements and with full knowledge that the institution’s failure to implement such policies presented a risk to its patients’ ePHI, MD Anderson implemented the policies at a “snail’s pace.”

ALJ Steven T. Kessel said that MD Anderson’s slow implementation of security measures was “shocking.”

He also ruled that, even though HIPAA “regulations governing ePHI do not specifically require devices to be encrypted,” they do require “that all systems containing ePHI be inaccessible to unauthorized users.”  Entities covered under the regulations are provided substantial discretion in choosing how to accomplish this but “the bottom line is that whatever mechanisms an entity adopts must be effective.”  And once a mechanism is chosen, the entity is “obligated to make it work.”

MD Anderson’s failure to follow its own guidelines resulted in a penalty of $2,000 per day from March 24, 2011 through January 25, 2013, a separate penalty for “each day of [MD Anderson’s] failure to protect its devices.”

ALJ Kessel also imposed penalties of $1,500,000 for the years 2012 and 2013, the maximum amount allowed per year. This amount properly reflected “the gravity of the loss.”

MD Anderson says it will appeal the decision. We will report on future developments.