HIPAA has teeth.  On June 1, 2018, an Administrative Law Judge (ALJ) ruled that the University of Texas MD Anderson Cancer Center violated HIPAA.  In doing so, the ALJ granted the Office of Civil Rights (OCR) summary judgment, requiring the hospital to fork up the $4,348,000 in civil monetary penalties imposed by OCR. 

The underlying facts of this data breach involved the theft of an unencrypted laptop from a physician’s home and the loss of two unencrypted thumb drives.  Combined, this theft and loss compromised the PHI of 33,500 individuals. To make matters worse, upon investigating the breaches, OCR uncovered that the hospital’s own risk analyses, as far back as 2006, found that the Hospital’s lack of device-level encryption was a high risk.  Unfortunately, the hospital did not act on the risk, failing to encrypt its inventory of electronic devices containing PHI.

The important lessons learned here are twofold.  First, take the risks identified by risk analyses seriously.  More importantly, why HIPAA is scalable, entities should try to implement some measures to address the associated risks identified by the analyses.  Second, all covered entities and business associates should ensure that they encrypt portable media devices.  Unfortunately, theft happens and small USB drives are lost or misplaced.  For when the inevitable happens, encryption is one of your best defenses.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Daniel J. Kagan Daniel J. Kagan

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and…

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and reimbursement issues.

With regard to Privacy and Cybersecurity, Dan has experience drafting privacy policies and notices, website terms of use, written information security plans and incident response plans.  Dan counsels clients on compliance issues related to state, federal and international privacy laws including the General Data Protection Regulation (GDPR).  Dan also has experience representing both health care and non-health care clients that have suffered data breaches and assists such clients with breach response and applicable reporting obligations.  Dan writes extensively on privacy and cybersecurity issues and is a co-editor of Murtha’s Privacy and Cybersecurity Perspectives blog.

As a member of the Health Care and Long Term Care groups, Dan has experience representing clients with HIPAA compliance, Stark and anti-kickback analyses, purchase and sale transactions, reviewing and drafting contracts, certificate of need requirements, rate appeals, Medicare and Medicaid audits, medical staff and credentialing matters, licensing and change of ownership proceedings.

Prior to joining Murtha Cullina, Dan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court.

Dan received his J.D. with honors from the University of Connecticut School of Law where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal. He earned his Bachelor of Arts in Economics from McGill University.