Big eye formed out of matrix type code.

MD Anderson Decision Emphasizes Need for Encryption or Alternative

A recent ALJ decision highlights both HIPAA’s flexibility in protecting data but ultimate requirements remain.

By Brian Annulis

July 5, 2018

On June 1, 2018, an Administrative Law Judge (ALJ) for the US Department of Health and Human Services granted summary judgment[1] in favor of the Office for Civil Rights (OCR) and against The University of Texas MD Anderson Cancer Center (MD Anderson) in a matter involving alleged violations of the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996, as emended (HIPAA), and its implementing regulations.[2] The decision was publicized on June 18, 2018.[3] More specifically, the ALJ sustained the imposition of daily and annual civil monetary penalties based upon MD Anderson’s failure to encrypt electronic devices, including laptop computers and USB thumb drives, its unlawful disclosure of electronic Protected Health Information (“ePHI”) relating to about 30,000 individuals in 20l2 and more than 3500 individuals in 2013.[4] In total, OCR fined MD Anderson $4.3 million.

DECISION’S SIGNIFICANCE

The ALJ’s decision is significant for several reasons. First, as noted in the Press Release, this is the second time OCR has obtained a summary judgment victory in the history of HIPAA enforcement.[5] Secondly, and arguably more significantly, the ALJ’s decision (and OCR’s underlying enforcement action) is another important reminder of the need for covered entities and business associates to either implement an enterprise-wide encryption policy OR implement an effective alternative. Among other things, MD Anderson argued that it was not obligated to encrypt its devices. The ALJ was not unconvinced.[6] The ALJ acknowledged that encryption is an “addressable” standard under the HIPAA Security Rule,[7] but found that (despite being aware of the need to encrypt)[8] MD Anderson had failed to do so or to implement a reasonable alternative.

“[The HIPAA Security Rule] give[s] considerable flexibility to covered entities as to how they protect their ePHI. Nothing in those regulations directs the use of specific devices or specific mechanisms by a covered entity. However, the bottom line is that whatever mechanisms an entity adopts must be effective.”[9]

The ALJ Decision is consistent with recent Settlement Agreements and Resolution Agreements with OCR involving covered entities and a failure to encrypt devices. In July, 2016, OCR entered into a Resolution Agreement and Corrective Action Plan (CAP) with Oregon Health & Science University (OHSU).[10] The CAP required OHSU, among other things, to implement an enterprise-wide Security Management Process and encryption plan. In August, 2016, Advocate Health Care also entered into a Resolution Agreement and CAP with OCR.[11] Like OHSU, Advocate Health Care had to implement a Risk Management Process and enterprise-wide encryption methodology.

ENFORCEMENT ACTIONS

The ALJ Decision in MD Anderson and OCR’s prior enforcement actions, in OHSU and Advocate Health Care and others, are important reminders that even though encryption of mobile and other devices that transmit or maintain ePHI is not required under the Security Rule, the safeguarding of ePHI is a requirement of the HIPAA Privacy Rule and Security Rule and a clear expectation of OCR.

The improper use or disclosure of ePHI resulting from an inadequate safeguarding may result in fines and penalties, including the imposition of a mandatory, enterprise-wide encryption program.

Covered entities and business associates would be wise to carefully consider the benefits of a data encryption program, particularly if the lack of encryption program has been previously identified as a high-risk concern.


[1] In a nutshell, a summary judgment is a judgment entered by a court for one party and against another party summarily, i.e., without a full trial. The court/judge has determined that even if the facts are true as alleged by one party (in this case, MD Anderson), the other party (in this case, OCR) is still entitled to judgment as a matter of law. In other words, there is no need for a hearing on the merits of the case, because one party is entitled to a favorable decision based upon the law.
[2] Copy of ALJ’s decision (ALJ Decision) is available at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mdanderson/index.html
[3] Copy of HHS Press Release (Press Release) is available at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mdanderson/index.html
[4] ALJ Decision at p. 1.
[5] The other case involved Lincare, Inc. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/lincare/index.html. OCR also imposed a civil money penalty against Cignet Health. See https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/cignet-health/index.html
[6] ALJ Decision, pp. 4-9.
[7] 45 CFR 164.312(a)(2)(iv).
[8] ALJ Decision at p. 5 (“[MD Anderson] recognized the need to encrypt data as early as 2006.”); p. 6 (“[MD Anderson delayed encryption of laptop devices for years and then, proceeded with encryption at a snail’s pace.”) (“[A]s of August 2011, [MD Anderson had not commenced laptop encryption”), p. 7 (“As of January 2014 nearly 10 percent of [MD Anderson’s] computers –more than 2600 devices—remained unencrypted”).
[9] ALJ Decision, p. 9.
[10] https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ohsu/index.html
[11] https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ahcn/index.html