21 JUNE 2018
The U.S. Department of Health and Human Services’ (‘HHS’) Office for Civil Rights (‘OCR’) announced, on 18 June 2018, that the HHS Department of Appeals Board, Civil Remedies Division (‘the Appeals Board’) had granted summary judgment in favour of the OCR in Director of the Office for Civil Rights v. The University of Texas MD Anderson Cancer Center (‘MD Anderson’) (‘the Ruling’). In particular, the Appeals Board found that MD Anderson had violated the Health Insurance Portability and Accountability Act of 1996 (‘HIPAA’) Privacy Rule for its failure to encrypt electronic devices, which led to electronic protected health information (‘ePHI’) being disclosed following the theft of an unencrypted laptop and the loss of two USB drives. The Appeals Board required MD Anderson to pay $4,348,000 in civil monetary penalties to the OCR.
The Appeals Board opined in the Ruling, “What is most striking about this case is that MD Anderson knew for more than five years that its patients’ ePHI was vulnerable to loss and theft and yet, it consistently failed to implement the very measures that it had identified as being necessary to protect that information. MD Anderson’s dilatory conduct is shocking given the high risk to its patients resulting from unauthorised disclosure of ePHI, a risk that MD Anderson not only recognised but that it restated many times.”
Penalties in this case were reasonable given the gravity of non-compliance
MD Anderson had argued that HIPAA’s requirements did not apply to the case, based on MD Anderson’s interpretation of the preamble to HIPAA, exempting research information from its scope. The Appeals Board held, however, that MD Anderson had identified nothing in HIPAA to support that argument. In particular, it agreed with the OCR that the language of HIPAA’s research exemption is only meant to apply in very limited instances, specifically in relation to research conducted by non-covered entities and business associates that receive information from covered entities.
Finally, the Appeals Board stated, “The reality is that the penalties imposed in this case are quite modest given the gravity of MD Anderson’s non-compliance. [T]he penalties are miniscule when compared with MD Anderson’s size and the volume of business that it does […] Remedies in this case need to be more than a pinprick in order to assure that MD Anderson and similarly situated entities comply with HIPAA’s non-disclosure requirements.”
BART VAN DER GEEST Junior Privacy Analyst