A U.S. Department of Health and Human Services (“HHS”) administrative law judge (“ALJ”) ordered the University of Texas MD Anderson Cancer Center (“MD Anderson”) last month to pay a $4,348,000 civil monetary penalty because of violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  While the vast majority of enforcement actions taken against covered entities and business associates to date have been voluntary settlements, this action came in the form of summary judgment in favor of HHS.  MD Anderson has stated that it intends to appeal the ALJ’s decision.  If upheld, the civil monetary penalty would be the fourth-largest amount in HHS’s enforcement history.

The alleged HIPAA violations arose from three separate breaches reported by MD Anderson in 2012 and 2013, involving:  (1) the theft of an unencrypted laptop from the home of an MD Anderson physician and (2) the loss of two unencrypted thumb drives by MD Anderson personnel.  The lost devices in total contained the protected health information (“PHI”) of 34,883 patients, including information such as patient names, Social Security numbers, medical record numbers, and clinical and research information.

The ALJ’s sharp-tongued opinion provides several important reminders to covered entities and business associates with respect to HIPAA.

First, encryption is a strong mechanism for protecting organizations from breaches involving theft or loss of portable electronic devices.  Breach reports involving the loss or theft of portable electronic devices have triggered many of the HHS inquiries resulting in enforcement actions for HIPAA violations.  While the ALJ noted in his opinion that encryption is not specifically required by the HIPAA Security Rule, it is one way to help prevent reportable breaches involving the loss or theft of a portable electronic device containing PHI.

Second, the failure to implement approved security controls for the protection of PHI in a timely manner exposes organizations to significant risk.  The ALJ noted that MD Anderson first identified the need to encrypt its data in 2006—six years before the first breach reported in connection with the recent enforcement action occurred.  The ALJ stated that MD Anderson “delayed encryption of laptop devices for years, and then, proceeded with encryption at a snail’s pace.”  Indeed, MD Anderson had not encrypted all of its computers by January 2014.  Once MD Anderson decided to adopt encryption as its determined control for the protection of PHI on portable devices, according to the ALJ, “it was obligated to make it work.”  MD Anderson’s delay in fully implementing its encryption solution was ultimately found to be an aggravating factor supporting the reasonableness of the civil monetary penalty.

Third, establishing a HIPAA compliance program that exists solely on paper is not enough.  The 2006 edition of MD Anderson’s Information Resources Security Operations Manual required that data stored on laptops and other portable media be encrypted or protected with access controls.  In 2007, MD Anderson directed that confidential data should not be stored on portable devices, but that if it was, it must be encrypted using approved methods.  The ALJ was not persuaded by MD Anderson’s written commitments to encryption without follow-through on implementation and enforcement.

Fourth, organizations must consider how to sufficiently control PHI on portable electronic media purchased with technology stipends (sometimes called “Bring Your Own Devices” or “BYOD”).  One of the reported breaches that led to the recent enforcement action involved the theft of a laptop purchased by a physician with MD Anderson’s funds.  Because MD Anderson had not yet fully implemented its encryption plan in 2012 when the theft occurred, the laptop was not encrypted.  The laptop was not even password-protected.  Organization-issued laptops and other devices come standard with the organization’s access controls, including password protections, encryption, and other administrative controls preventing users from circumventing security efforts.  Organizations that offer technology stipends for the purchase of devices of the employees’ choosing should consider the mechanisms through which they should protect the security of the data accessed by such BYOD devices.  These could include, for example, mobile device management software or remote access controls that disallow storage of PHI on those devices, in addition to the policies and procedures governing the use of such devices.

Fifth, research data maintained by a covered entity must be protected in accordance with the HIPAA Privacy Rule and Security Rule.  MD Anderson argued that HIPAA did not apply to the data maintained on the lost and stolen devices because it was used in research, relying on preamble language that HIPAA does not apply to research records obtained by a researcher in its role as a researcher.  While MD Anderson attempted to read the pertinent preamble language broadly, the ALJ focused on the role of the institution conducting the research.  If the research was being conducted by a non-covered entity or non-business associate, that information would be subject to that narrow exception.  The ALJ suggested that a covered entity may be able to segregate its clinical functions from its research functions, which could be accomplished by a hybrid entity designation.  MD Anderson, however, did not argue that it segregated its clinical and research functions in this manner, resulting in the continued application of HIPAA to the data used for research.

HHS’s press release, the Notice of Proposed Determination, and the ALJ’s opinion are available here.