HIPAA Horror Stories

The Forgotten ePHI Policy

one-minute read

Texas Cancer Center’s weak Electronic Protected Health Information records policy poses “shockingly high risk” to patients.

A giant Texas teaching hospital paid $4.3 million to settle two Electronic Protected Health Information (ePHI) breach complaints after claiming, wrongly, that the data wasn’t covered by the Health Insurance Portability and Accountability Act (HIPAA).

An ePHI policy, ignored

Despite having written data encryption policies dating back to 2006, The University of Texas – Houston’s MD Anderson Cancer Center failed to adopt those policies throughout the organization until 2011. The policy failure, a major HIPAA violation, led to three data breaches.

The first data breach occurred when an MD Anderson employee’s laptop was stolen from his home. The other two breaches stemmed from the loss of two thumb drives containing 35,000 unencrypted ePHI records.

Even after the theft and losses, MD Anderson failed to encrypt its inventory of electronic devices containing ePHI.

Hospital argues lost records not ePHI

MD Anderson claimed that it was not obligated to encrypt its devices, and said the lost ePHI was for “research,” and thus was not subject to HIPAA’s nondisclosure requirements. 

MD Anderson further argued that HIPAA’s penalties were unreasonable. 

Government rejects non-ePHI argument

The government rejected both of these arguments and stated that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times,” read a Health & Human Services press release.

A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) ruled that MD Anderson had violated HIPAA rules and granted summary judgement to the Office for Civil Rights, ordering the hospital to pay $4,348,000.

What are your ePHI policies?

What are your data inventory policies? Would you know what to do if one of your employees lost a laptop or thumb drive? 

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

Office
8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU