Texas cancer center fined $4.3 million for HIPAA violations: What you need to know

The following communication was distributed on June 21 by Walter Ray, Chief Information Security Officer

A U.S. Department of Health and Human Services administrative law judge has ruled that the University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and granted a summary judgment to the HHS Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4.3 million in civil penalties to OCR.

An investigation of MD Anderson was launched following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted USB thumb drives containing the unencrypted electronic protected health information of over 33,500 individuals.

This case highlights the importance of following good security practices when it comes to data storage. Our own mobile device policy (see link below) includes the following provisions that specifically address the issues that occurred at MD Anderson. Refer to the full policy text for more details.

• Laptops storing institutionally-owned restricted and/or regulated data must be owned by the institution and employ enterprise approved security software to include endpoint protection and encryption.
• All flash and portable hard drives storing institutionally-owned restricted and/or regulated data must be owned by the institution and encrypted using an approved method of encryption to protect data at rest.
• Lost, Missing or Stolen Mobile Device must be reported immediately to Public Safety and the Information Security Office. Information regarding loss or theft will be shared between entities as required. The workforce member with custodial responsibility for the mobile device preceding the incident must complete a Lost/Stolen Equipment Report form describing the data contents of the device and to assist with recovery, device wipe, and breach investigation as applicable. The Information Security Office will report all incidents of compromised regulated information to the Enterprise Privacy Officer for analysis and possible action.

You are personally responsible for ensuring that you comply with the mobile device policy. This means that you should take steps to confirm your laptop is encrypted. Instructions are linked below.

You should also take steps to confirm that you are NOT storing protected health or student information or other regulated data on a portable device that is not owned by the institution and encrypted. Ideally you should consider whether having this data stored on a portable hard drive is even necessary since Augusta University provides sanctioned data storage tools that are secure and backed up daily like Box and network storage.

Augusta University Mobile Device Policy

[copy-and-paste-link-into-browser] https://augusta.policytech.com/dotNet/documents/?docid=6342

Instructions for Confirming Your Laptop is Encrypted

[copy-and-paste-link-into-browser] https://gru.service-now.com/kb_view_customer.do?sysparm_article=KB0010811

Source

[copy-and-paste-link-into-browser] https://www.hhs.gov/about/news/2018/06/18/judge-rules-in-favor-of-ocr-and-requires-texas-cancer-center-to-pay-4.3-million-in-penalties-for-hipaa-violations.html

Links are not clickable – please copy and paste the link into your browser.