|(The following is excerpted from Ballard Spahr’s CyberAdviser blog.)
The Departmental Appeals Board of the U.S. Department of Health and Human Services has granted summary judgment against the University of Texas MD Anderson Cancer Center upholding $4.3 million in penalties against the Center for violations of HIPAA’s privacy and security rules. In this case, the personal medical data of more than 33,000 individuals was exposed through the theft of a laptop and the loss of unencrypted thumb drives. None of these devices was encrypted, and the laptop was not password protected.
The Board found that the Center had made only “half-hearted and incomplete efforts” to encrypt or otherwise protect mobile devices containing electronic protected health information (ePHI). The Board determined that these efforts were much delayed despite the Center’s recognition of the risks and its establishment of a policy for encryption and protection of mobile devices. Specifically, the Board ruled that:
The Center made several assertions beyond compliance with the HIPAA regulations, arguing that: (i) HIPAA does not extend to it as a state governmental entity; (ii) the penalties exceed statutory limits; and (iii) the penalties violate the excessive fines provision of the Eighth Amendment of the U.S. Constitution. The Board declined to address these arguments, which it viewed as falling beyond the scope of its authority.
As it stands, the decision by the Board reminds covered entities and business associates that policies alone are not sufficient—it is necessary to implement those policies on a thorough and timely basis. More specifically, it highlights the dangers of placing unprotected information on a mobile device and the need for appropriate controls to minimize the risks that apply to those devices.
The Board’s decision may not be the last word in this case. The fact that the case went to the Board is itself unusual. Most HIPAA matters of this nature have ended in settlement agreements with the Office of Civil Rights. The Center apparently chose not to enter into such an agreement and has stated its intent to contest the Board’s ruling.
Ballard Spahr attorneys established the Health Care Reform Dashboard as a one-stop resource under the Affordable Care Act. We have expanded the scope of the Dashboard to extend to certain other laws, but continue the mission of providing our readers with information about significant changes affecting health care and health benefits in the United States and to establish a repository for analysis and original source material of significant developments that have occurred over time. Change is ongoing, and we will continue to update the Dashboard to reflect new legislation, administrative guidance, and judicial decisions as they are published.
|This publication was written by members of Ballard Spahr’s Health Care Group.|
|Edward I. Leeds|
|ABOUT BALLARD SPAHR
Related AreasHealth Care
HIPAA and Data Security