[00:00.0 - 00:03.8] A U.S. Department of Health and Human Services Administrative Law, [00:03.8 - 00:09.9] Judge A.L.J. has ruled that the University of Texas M.D.
Anderson Cancer Center, [00:09.9 - 00:16.3] M.D. Anderson, violated the Health Insurance Portability and Accountability Act of 1996, [00:16.3 - 00:22.6] HIPAA, privacy and security rules, and granted summary judgment to the Office for Civil Rights, [00:22.6 - 00:31.8] OCR, on all issues requiring M.D. Anderson to pay $4,348,000 in civil money penalties to OCR.
[00:32.4 - 00:37.2] This is the second summary judgment victory in OCR's history of HIPAA enforcement, [00:37.2 - 00:43.8] and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a [00:43.8 - 00:50.1] settlement for HIPAA violations. M.D. Anderson is both a degree-granting academic institution [00:50.1 - 00:56.0] and a comprehensive cancer treatment and research center located at the Texas Medical Center in [00:56.0 - 01:02.3] Houston.
OCR investigated M.D. Anderson following three separate data breach reports in 2012 [01:02.3 - 01:08.3] and 2013 involving the theft of an unencrypted laptop from the residence of an M.D. Anderson [01:08.3 - 01:14.7] employee and the loss of two unencrypted universal serial bus USB thumb drives containing the [01:14.7 - 01:21.8] unencrypted electronic protected health information, ePHI, of over 33,500 individuals.
[01:22.6 - 01:28.0] OCR's investigation found that M.D. Anderson had written encryption policies going as far back as [01:28.0 - 01:34.7] 2006 and that M.D. Anderson's own risk analyses had found that the lack of device-level encryption [01:34.7 - 01:41.3] posed a high risk to the security of ePHI.
Despite the encryption policies and high-risk findings, [01:41.3 - 01:46.5] M.D. Anderson did not begin to adopt an enterprise-wide solution to implement encryption [01:46.5 - 01:53.1] of ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices [01:53.1 - 02:02.4] containing ePHI between March 24, 2011 and January 25, 2013. The ALJ agreed with OCR's [02:02.4 - 02:08.1] arguments and findings and upheld OCR's penalties for each day of M.D.
Anderson's [02:08.1 - 02:14.2] noncompliance with HIPAA and for each record of individuals breached. OCR is serious about [02:14.2 - 02:19.9] protecting health information privacy and will pursue litigation if necessary to hold entities [02:19.9 - 02:25.4] responsible for HIPAA violations, said OCR Director Roger Severino. We are pleased that [02:25.4 - 02:31.1] the judge upheld our imposition of penalties because it underscores the risks entities take [02:31.1 - 02:36.9] if they fail to implement effective safeguards, such as data encryption when required to protect [02:36.9 - 02:42.2] sensitive patient information.
M.D. Anderson claimed that it was not obligated to encrypt [02:42.2 - 02:48.8] its devices and asserted that the ePHI at issue was for research and thus was not subject to [02:48.8 - 02:53.8] HIPAA's nondisclosure requirements. M.D.
Anderson further argued that HIPAA's penalties were [02:53.8 - 02:59.8] unreasonable. The ALJ rejected each of these arguments and stated that M.D. Anderson's [02:59.8 - 03:05.2] dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized [03:05.2 - 03:12.6] disclosure of ePHI, a risk that M.D.
Anderson not only recognized but that it restated many times.
