In the latest twist in a case that began last year, an administrative law judge (ALJ) agreed that a $4.3 million penalty, levied by the Office of Civil Rights (OCR) against the MD Anderson Cancer Center as a result of HIPAA violations, should stand. The case is noteworthy not only because of the dollars involved, but also because of the way the ALJ reviewed OCR’s penalty calculation, in light of how the hospital failed to follow up on its own risk analysis.
Under the HIPAA Breach Rule, ALJs are the first line of appeal for appeals from penalties that may be imposed by OCR in administering the Breach Rule. In this case, the ALJ reviewed an OCR decision that MD Anderson had violated the HIPAA Security Rule by 1) failing to implement appropriate access controls on personal health information (PHI); and 2) making impermissible disclosures of PHI, in violation of the HIPAA Privacy Rule.
The case arose from three separate incidents in 2012 and 2013, and evidently, MD Anderson reported each to OCR on a timely basis because that issue did not arise in the case:
- In April of 2012, an unencrypted laptop that the hospital had provided to a physician was stolen from his home. The laptop contained PHI of over 29,000 individuals, and the physician acknowledged that even without the laptop being stolen, the PHI could have been accessed by any family member present in the home.
- In July of 2012, a thumb drive, onto which an intern had uploaded PHI of over 2,200 individuals, was misplaced on the way home from work.
- In December of 2013, a researcher discovered that an unencrypted thumb drive, containing PHI of over 3,500 individuals, had disappeared from her desk drawer when she returned after Thanksgiving.
These incidents occurred against the backdrop of a longstanding information security policy at MD Anderson which addressed encryption of PHI, and the results of a risk analysis completed in 2011, several months before the first incident, which identified high risks associated with the lack of an enterprise-wide encryption regime, and a widespread practice at MD Anderson of downloading PHI to portable devices for outside use. Based on these facts, OCR concluded:
- 1.MD Anderson had provided improper access to the PHI in each of the three incidents: “Since the devices were lost or stolen, and were never recovered, they are no longer in MD Anderson’s possession and are unprotected from an unauthorized person; therefore, MD Anderson ‘provided access’ to the PHI.”
- MD Anderson failed to address the risks it had identified through encryption, or alternatively failed to document a basis for finding the encryption was not feasible and to implement an equivalent alternative measure.
When this case reached the ALJ, he granted summary judgment in favor of OCR, concluding that all the relevant facts were established and so no hearing was needed to gather evidence. He agreed with OCR’s conclusion that when computer media containing unencrypted electronic PHI (ePHI) are stolen or misplaced, the organization has granted access to the PHI in violation of HIPAA.
Among key issues addressed in the ALJ decision was determining the appropriate penalty tier to calculate MD Anderson’s penalties. The ALJ agreed with OCR that it was appropriate to calculate the penalties under the “Reasonable Cause” standard, defined at 45 CFR 160.401:
“An act of omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.”
In cases that fall under this reasonable cause standard, OCR may impose a penalty of $1,000 for each violation, with a ceiling of $1.5 million in the aggregate for all identical violations in a calendar year. MD Anderson claimed that the penalties imposed should have been calculated under a lower standard for situations where a Covered Entity or Business Associate did not know of the violation, and would not have known with reasonable diligence. In those cases, OCR may impose a penalty of $100 penalty per violation, with the same annual ceiling.
MD Anderson argued to the ALJ that it could not have foreseen that a thief would break into the doctor’s house, or that other staff would lose devices holding unencrypted PHI. It also pointed out that in one of these cases, the staff member had been given an encrypted thumb drive and failed to use it. Essentially, it asserted that the actions of a thief, or the unauthorized treatment of ePHI by members of its workforce should not be imputed to it. The ALJ’s responses to these arguments are telling:
“I agree that Respondent could not have known in advance about the specific events that caused ePHI to be disclosed in 2012 and 2013. But, that isn’t the issue. Respondent had a clear awareness of the risk of loss through accidental disclosures.
“. . .Respondent’s liability – and its culpability – emanated from its failure to address the risk that ePHI could be disclosed via the theft or loss of mobile devices containing such information. As I have discussed, respondent was well aware of that risk, devised a plan to ameliorate it, and failed to execute on that plan. The failure by Respondent to do what it announced it would do to encrypt all mobile devices, was the proximate cause of the subsequent ePHI loss.”
In his summary judgment ruling, the ALJ upheld the penalties that OCR had assessed:
- To remedy MD Anderson’s granting of improper access to PHI in 2012 and 2013, in violation of the HIPAA Privacy Rule, the maximum penalty of $1,500,000 for each year.
- To remedy MD Anderson’s failure to implement access safeguards for ePHI under the HIPAA Security Rule, an additional penalty of $1,438,000, calculated at $2,000 per day through the date on which MD Anderson reported it had completed encrypting 98% of its devices containing ePHI.
The message sent by OCR and the ALJ is clear. Once a risk analysis is conducted, and an organization identifies steps to mitigate the risks that are identified, those steps must be implemented promptly. Unlawful or inappropriate individual actions which create a HIPAA violation will not insulate a Covered Entity or Business Associate from liability, when that conduct simply precipitates a foreseeable exposure of PHI.