ALJ Ruling Upholds $4.3 Million in HIPAA Penalties for Lack of Portable Device Encryption
On June 1, 2018, a Department of Health and Human Services ("HHS") Administrative Law Judge ("ALJ") granted summary judgment in favor of the HHS Office for Civil Rights ("OCR"), sustaining $4.3 million in penalties against The University of Texas MD Anderson Cancer Center ("MD Anderson"), for its alleged failure to comply with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The penalties stemmed from the theft of an unencrypted laptop and the loss of two unencrypted USB thumb drives, which contained the electronic Protected Health Information ("ePHI") of approximately 30,000 individuals. The alleged breaches occurred between April 2012 and November 2013. MD Anderson has stated that it plans to appeal the decision.
ALJ Steven T. Kessel found that even though MD Anderson recognized the vulnerability of its ePHI due to the lack of encryption of portable devices, it nevertheless failed to implement encryption or another equivalent mechanism. As early as 2006, MD Anderson identified its lack of encryption and even adopted a policy requiring stored data to be encrypted. However, MD Anderson did not finish the encryption process before the 2012 and 2013 incidents. According to Judge Kessel, MD Anderson made "only half-hearted and incomplete efforts at encryption" and proceeded with encryption "at a snail's pace."
MD Anderson argued that HIPAA does not require encryption since it is only an addressable standard under the Security Rule. While Judge Kessel acknowledged that encryption is not mandatory under the regulations, he stressed that an entity must still choose an effective mechanism to protect its PHI. MD Anderson had flexibility with respect to the mechanism it chose, but failed to implement any equivalent mechanism to adequately protect the ePHI on its portable devices. He stated, "Encryption of devices wasn't a mechanism specifically dictated by the regulations," but, "once Respondent elected to utilize that mechanism, it was obligated to make it work."
Judge Kessel also rejected MD Anderson's argument that the ePHI on the unencrypted laptop and thumb drives was not unlawfully disclosed because there was no evidence that anyone ever viewed the lost and stolen ePHI. Judge Kessel explicitly ruled that ePHI does not have to be "viewed by unauthorized individuals in order to be disclosed," rather, any loss of ePHI constitutes a disclosure. According to the ALJ, any other interpretation of HIPAA would allow covered entities to "cast ePHI to the winds and be immune to penalty so long as OCR fails to prove that someone else received and viewed that information."
Finally, Judge Kessel concluded that the $4.3 million in penalties imposed by OCR were reasonable and even modest based on the facts of the case. The civil monetary penalties imposed on MD Anderson included penalties of $2,000 per day from March 24, 2011 to January 25, 2013 for failure to encrypt ePHI, and $1.5 million per year for 2012 and 2013 for the loss and theft of ePHI. Judge Kessel determined that the daily penalties were reasonable because they were well below the allowable daily amount of $50,000 and that the annual penalties were reasonable due to MD Anderson's high level of culpability. Judge Kessel concluded that "the sheer size of [MD Anderson's] operations and the enormous amount of revenue that it generates, argue against reducing the penalty amounts," and that "remedies . . . need to be more than a pinprick" in order to ensure that organizations comply with HIPAA.
This harsh ruling is another reminder that OCR is increasingly aggressively enforcing HIPAA and that encryption, in particular, has become an increasing focus of enforcement efforts. Since encryption has become more inexpensive in recent years, the standard practice is to encrypt all portable devices containing ePHI. Even more broadly, HIPAA covered entities and business associates should ensure that they have robust policies and procedures to protect all PHI and that they effectively implement those policies and procedures. HIPAA compliance on paper alone will not suffice. Risks identified during security assessments must be effectively addressed. As evidenced clearly in this case, leaving a gap between identified risks and implemented security mechanisms will leave the organization vulnerable to government enforcers with the authority to impose massive fines.