(The following is excerpted from Ballard Spahr's CyberAdviser blog.)
The Departmental Appeals Board of the U.S. Department of Health and Human Services has granted summary judgment against the University of Texas MD Anderson Cancer Center upholding $4.3 million in penalties against the Center for violations of HIPAA's privacy and security rules. In this case, the personal medical data of more than 33,000 individuals was exposed through the theft of a laptop and the loss of unencrypted thumb drives. None of these devices was encrypted, and the laptop was not password protected.
The Board found that the Center had made only "half-hearted and incomplete efforts" to encrypt or otherwise protect mobile devices containing electronic protected health information (ePHI). The Board determined that these efforts were much delayed despite the Center’s recognition of the risks and its establishment of a policy for encryption and protection of mobile devices. Specifically, the Board ruled that:
Although HIPAA does not specifically require encryption of ePHI, it does require appropriate safeguards. The Center chose encryption as its method for safeguarding ePHI on mobile devices, but failed to timely and fully implement that policy or to implement alternative measures.
The ePHI contained in the lost and stolen devices was "disclosed" within the meaning of HIPAA, even though there is no proof that anyone unauthorized ever accessed it. The Board distinguished this case from private lawsuits for damages caused by the disclosure of information, which may apply a different standard for proof of harm.
The fact that the information may have been used in research does not shield it from HIPAA's requirements. The Board left open the possibility that the Center might have made a more sustainable argument if it had more specifically segregated its research function from its clinical function.
The Center is responsible for the actions of its employees who perform work functions, even if those employees violated the Center's policy for encryption.
The Office of Civil Rights reasonably determined the penalties to apply based on the Center's awareness of the risks posed by its failure to encrypt, its delays in implementing its policy of encryption, and the number of individuals affected.
The Center made several assertions beyond compliance with the HIPAA regulations, arguing that: (i) HIPAA does not extend to it as a state governmental entity; (ii) the penalties exceed statutory limits; and (iii) the penalties violate the excessive fines provision of the Eighth Amendment of the U.S. Constitution. The Board declined to address these arguments, which it viewed as falling beyond the scope of its authority.
As it stands, the decision by the Board reminds covered entities and business associates that policies alone are not sufficient—it is necessary to implement those policies on a thorough and timely basis. More specifically, it highlights the dangers of placing unprotected information on a mobile device and the need for appropriate controls to minimize the risks that apply to those devices.
The Board's decision may not be the last word in this case. The fact that the case went to the Board is itself unusual. Most HIPAA matters of this nature have ended in settlement agreements with the Office of Civil Rights. The Center apparently chose not to enter into such an agreement and has stated its intent to contest the Board's ruling.
Ballard Spahr attorneys established the Health Care Reform Dashboard as a one-stop resource under the Affordable Care Act. We have expanded the scope of the Dashboard to extend to certain other laws, but continue the mission of providing our readers with information about significant changes affecting health care and health benefits in the United States and to establish a repository for analysis and original source material of significant developments that have occurred over time. Change is ongoing, and we will continue to update the Dashboard to reflect new legislation, administrative guidance, and judicial decisions as they are published.
Copyright © 2018 by Ballard Spahr LLP.
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.