Texas Cancer Center’s weak Electronic Protected Health Information records policy poses “shockingly high risk” to patients.
A giant Texas teaching hospital paid $4.3 million to settle two Electronic Protected Health Information (ePHI) breach complaints after claiming, wrongly, that the data wasn’t covered by the Health Insurance Portability and Accountability Act (HIPAA).
An ePHI policy, ignored
Despite having written data encryption policies dating back to 2006, The University of Texas – Houston’s MD Anderson Cancer Center failed to adopt those policies throughout the organization until 2011. The policy failure, a major HIPAA violation, led to three data breaches.
The first data breach occurred when an MD Anderson employee’s laptop was stolen from his home. The other two breaches stemmed from the loss of two thumb drives containing 35,000 unencrypted ePHI records.
Even after the theft and losses, MD Anderson failed to encrypt its inventory of electronic devices containing ePHI.
Hospital argues lost records not ePHI
MD Anderson claimed that it was not obligated to encrypt its devices, and said the lost ePHI was for “research,” and thus was not subject to HIPAA’s nondisclosure requirements.
MD Anderson further argued that HIPAA’s penalties were unreasonable.
Government rejects non-ePHI argument
The government rejected both of these arguments and stated that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times,” read a Health & Human Services press release.
A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) ruled that MD Anderson had violated HIPAA rules and granted summary judgement to the Office for Civil Rights, ordering the hospital to pay $4,348,000.
What are your ePHI policies?
What are your data inventory policies? Would you know what to do if one of your employees lost a laptop or thumb drive?