HIPAA Horror Stories

The Forgotten ePHI Policy

one-minute read

Texas Cancer Center’s weak Electronic Protected Health Information records policy poses “shockingly high risk” to patients.

A giant Texas teaching hospital paid $4.3 million to settle two Electronic Protected Health Information (ePHI) breach complaints after claiming, wrongly, that the data wasn’t covered by the Health Insurance Portability and Accountability Act (HIPAA).

An ePHI policy, ignored

Despite having written data encryption policies dating back to 2006, The University of Texas – Houston’s MD Anderson Cancer Center failed to adopt those policies throughout the organization until 2011. The policy failure, a major HIPAA violation, led to three data breaches.

The first data breach occurred when an MD Anderson employee’s laptop was stolen from his home. The other two breaches stemmed from the loss of two thumb drives containing 35,000 unencrypted ePHI records.

Even after the theft and losses, MD Anderson failed to encrypt its inventory of electronic devices containing ePHI.

Hospital argues lost records not ePHI

MD Anderson claimed that it was not obligated to encrypt its devices, and said the lost ePHI was for “research,” and thus was not subject to HIPAA’s nondisclosure requirements. 

MD Anderson further argued that HIPAA’s penalties were unreasonable. 

Government rejects non-ePHI argument

The government rejected both of these arguments and stated that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times,” read a Health & Human Services press release.

A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) ruled that MD Anderson had violated HIPAA rules and granted summary judgement to the Office for Civil Rights, ordering the hospital to pay $4,348,000.

What are your ePHI policies?

What are your data inventory policies? Would you know what to do if one of your employees lost a laptop or thumb drive? 

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2020 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

3534 Washington Avenue, Saint Louis, MO 63103
Terms of Service | Privacy Policy

Powered by JEMSU

You may have questions about COVID-19 and HIPAA. We have answers. 

We are open and answering questions about all the new modifications and waivers, coming from HHS, OCR, CMS, and the new CARES act.

If you need help with HIPAA during the COVID-19 pandemic, fill in the form, and we’ll get back to you.

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free