A recent legal ruling demonstrates the importance of using encryption to protect ePHI from unauthorized viewing. A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the HIPAA Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. OCR reported that the Cancer Center had three separate data breaches in 2012 and 2013. The breaches involved the theft of an unencrypted laptop from the residence of a Cancer Center employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals. The Cancer Center had written encryption policies going as far back as 2006 and had conducted a risk analysis that found that the lack of device-level encryption posed a high risk to the security of ePHI. Nonetheless, the Cancer Center did not begin to implement encryption of ePHI until 2011, and still failed to encrypt its inventory containing ePHI (data at rest) between March 24, 2011 and January 25, 2013. The Cancer Center was penalized for each day of non-compliance with HIPAA and for each record of individuals breached. This explains the high civil monetary penalty of $4,348,000.
The Cancer Center argued that they were not obligated to encrypt its devices and that the ePHI disclosed was for research and not subject to HIPAA disclosure rules. The Cancer Center further argued that HIPAA’s penalties were unreasonable. The judge rejected each of these arguments and stated that the Cancer Center’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that the Cancer Center “not only recognized, but that it restated many times.”
So, what can you learn from this incident? While the HIPAA security rule identifies “encryption” as an addressable implementation specification, this does not mean the specification is optional for implementation. It means you must adopt a similar solution to secure the ePHI if you choose not to use encryption or have a very strong justification why the standard does not apply in your circumstance. The Cancer Center did neither of these, despite their risk analysis identifying the lack of device-level encryption as a high risk to the security of the ePHI. Furthermore, there are numerous encryption solutions available for encrypting end user devices or portable devices that are well within the capability of all covered entities and therefore, it would be difficult for a CE to defend not employing encryption to protect PHI from unauthorized viewing. Secondly, if you have a policy that reads that you accomplish X, Y, and Z, make sure your actions mirror the policy. An adage among compliance professionals’ states that what is worse than not having a policy is having a policy and not following it. This was the case for the Cancer Center since they had encryption policies going back to 2006 that were not followed. Finally, PHI used for research purposes earns the same HIPAA protection as PHI used for Treatment, Payment, or Healthcare Operations.
Now is a very good time to inventory all your assets that maintain ePHI and determine if you need to apply encryption or another solution to secure the ePHI. Take proactive steps to protect your data at rest and protect your organization from a major civil monetary penalty. The encryption and decryption standard can be found in 45 CFR § 164.312(a)(2)(iv). The OCR news release on this case can be viewed here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mdanderson/index.html. For more on how HIPAAtrek can help you with your HIPAA privacy and security program, please contact our CEO Sarah Badahman at email@example.com\