- The University of Texas M.D. Anderson Cancer Center was having a hard time protecting patient electronic health information (ePHI).
- After several security-related incidents, there was no evidence that any of the lost devices were used, or that the ePHI was accessed by anyone, but the state-run cancer center clearly failed to protect the data, and had failed to encrypt these records.
- The Department of Health and Human Services investigated Anderson for violations of HIPAA and HITECH laws and regulations.
- HHS imposed a fine of $4,348,000 USD against Anderson, and administrative and court appeals followed. On January 14, 2020, the United States Court of Appeals for the Fifth Circuit (which includes Texas) found that HHS findings, specifically that the hospital had no “mechanism to encrypt” health records, and that they improperly “disclosed” these records, was arbitrary and capricious, and reversed the fines.
- The federal appeals court distinguished between a failure of encryption and a failure to have a mechanism to encrypt, noting that a company could have a bulletproof encryption procedure, and encrypt thousands of computers and millions of thumb drives, and still inadvertently fail to encrypt a few drives which would result in a security breach.
- The court noted that the cancer center’s loss of data was due to “reasonable cause” and not “willful neglect” 42 U.S.C. § 1320d5(a)(1)(B).
- There is an erroneous assumption that every data breach involving ePHI is a HIPAA violation, and that every “loss of control” of data is an improper disclosure of ePHI.
- HHS needs to have the power to impose fines for true violations. Sometimes, these fines need to be severe and consequential. Mere failures of security – even when they have bad results – should result in orders to compensate the privacy victims, not necessarily pay off HHS. But willful, deliberate and repeated failures to do the basic things – even when no breach occurs – should permit HHS to bring down the hammer.
– Mark Rasch | March 4, 2021