HIPAA has teeth. On June 1, 2018, an Administrative Law Judge (ALJ) ruled that the University of Texas MD Anderson Cancer Center violated HIPAA. In doing so, the ALJ granted the Office of Civil Rights (OCR) summary judgment, requiring the hospital to fork up the $4,348,000 in civil monetary penalties imposed by OCR.
The underlying facts of this data breach involved the theft of an unencrypted laptop from a physician’s home and the loss of two unencrypted thumb drives. Combined, this theft and loss compromised the PHI of 33,500 individuals. To make matters worse, upon investigating the breaches, OCR uncovered that the hospital’s own risk analyses, as far back as 2006, found that the Hospital’s lack of device-level encryption was a high risk. Unfortunately, the hospital did not act on the risk, failing to encrypt its inventory of electronic devices containing PHI.
The important lessons learned here are twofold. First, take the risks identified by risk analyses seriously. More importantly, why HIPAA is scalable, entities should try to implement some measures to address the associated risks identified by the analyses. Second, all covered entities and business associates should ensure that they encrypt portable media devices. Unfortunately, theft happens and small USB drives are lost or misplaced. For when the inevitable happens, encryption is one of your best defenses.