Recent ALJ Ruling on HIPAA Violation Results in Over $4 Million in Penalties

HHS Administrative Law Judge Rules Against
The University of Texas MD Anderson Cancer Center for
Over $4.3 Million in Penalties

The Department of Health and Human Services (HHS) continues to hold healthcare entities responsible for Health Information Portability and Accountability Act (HIPAA) violations. In its effort to protect health information privacy, the HHS Office for Civil Rights (OCR) is tasked with investigating reported HIPAA violation complaints. If a complaint alleges any action that could constitute a violation of the HIPAA criminal provision, OCR may refer the complaint to the Department of Justice for investigation. Otherwise, OCR may attempt to resolve the case with the HIPAA covered entity (covered entity) by obtaining voluntary compliance, corrective action, and/or a resolution agreement. If the covered entity refuses to resolve the case in the manner OCR chooses, then OCR can decide to impose civil money penalties (CMPs) on the covered entity. If CMPs are imposed, the covered entity has the option of requesting a hearing with an HHS Administrative Law Judge (ALJ) to challenge the imposed penalties. A recent case involving an ALJ review is that of The University of Texas MD Anderson Cancer Center (MD Anderson).

MD Anderson is a degree-granting academic institution and a comprehensive cancer treatment and research center in Houston, Texas. OCR investigated MD Anderson on three separate data breach reports in 2012 and 2013. Although MD Anderson had encryption policies in place, OCR found that they lacked device-level encryption which posed a high risk to the security of their electronic protected health information (ePHI). After these findings, MD Anderson still failed to adopt an enterprise-wide solution to encrypt their ePHI until 2011. The ALJ ruled that MD Anderson violated the HIPAA Privacy and Security Rules and granted summary judgment to OCR on all issues. The ALJ also required MD Anderson to pay $4,348,000 in CMPs to OCR, the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations.

HIPAA Compliance Experts to Help Your Organization

Our HIPAA compliance consultants have over 40 years of experience providing research, analysis, and program support on privacy and security rules to clients in both the commercial sector and government sector. Call us at (703) 683-9600 or contact us online for a tailored assessment of your organization’s individual needs.