HIPAA Alert: Judge Upholds $4.3 Million in Penalties against a Medical Center for Failing to Secure Laptops and USB Drives

On June 1, 2018, a Judge granted summary judgment in favor of the government and against a medical center, upholding over $4.3 million in civil monetary penalties for alleged HIPAA violations.

In Director of the Office for Civil Rights v. The University of Texas MD Anderson Cancer Center, the Department of Health and Human Services Office of Civil Rights (OCR) alleged the medical center failed to comply with HIPAA by (1) failing to secure electronic devices and data storage equipment, and (2) allowing electronic protected health information (ePHI) to be disclosed for over 30,000 patients.  The OCR investigated the medical center after the theft of an unsecured laptop and loss of two USB thumb drives. The laptop and USB drives were neither password-protected nor encrypted.

The medical center denied that HIPAA requires the encryption of devices and denied that there was an “unlawful disclosure” as there was no evidence that the lost or stolen information was received or viewed by anyone.  The Judge reasoned that a covered entity is not required to guarantee the safety of ePHI, but must reasonably safeguard PHI from unlawful disclosure. 45 C.F.R. Section 164.312(a)(1). While covered entities have flexibility to decide how the information is protected, it must be effective. By failing to encrypt or password protect the lost or stolen devices, the medical center failed to ensure its systems and devices containing ePHI were inaccessible to unauthorized users. The Judge also reasoned that the purpose of HIPAA is to protect against failures and omissions by covered entities that might result in such consequences as identity theft or other invasions of privacy, and that it would be impossible in most instances to determine whether the information contained on the lost and stolen devices resulted in an individual’s identity theft. The judge distinguished this case from a private suit for damages, in which courts have held there is no cause of action absent proof that an unauthorized individual or entity received the information and proof of damages.

In summary, the U.S. Department of Health and Human Services Departmental Appeals Board Judge ruled that the medical center violated HIPAA privacy and security rules, granted summary judgment in favor of the OCR, and upheld the OCR’s civil monetary penalties in the amount of $4,348,000.

A copy of the 17-page decision can be found here. Please do not hesitate to contact Lowis & Gellen’s HIPAA Compliance Officer, Kristin Ahmadian, or any of the attorneys at Lowis & Gellen, LLP should you have any questions.